Is ECC ready and increase the default RSA key size to 3072 bits?

Dirk Gottschalk dirk.gottschalk1980 at
Thu Apr 25 13:50:34 CEST 2019


Am Donnerstag, den 25.04.2019, 08:42 +0200 schrieb Bernhard Reiter:
> Am Freitag 19 April 2019 15:50:13 schrieb Daniel Kahn Gillmor:
> > GnuPG master already defaults RSA keys to 3072 bits,
> > I agree that it makes sense to do this on the 2.2 branch.

> FWIW I also agree to switch the default.
> It matches modern recommendations for mid/long term security, 
> e.g. from 

> This is even when considering the FAQ linked
> from

Yes, we should switch for sure. I am using Keys with 4096 bit keys for
a longer while, now. AFAIR since GPG supports it. I even would prefer
this to be the default.

> > Will GnuPG ever support RSA-3072 or RSA-4096 by default?
> > Probably not. 
> > Every minute we spend arguing about whether we should change the
> > defaults to RSA-3072 or more is one minute the shift to ECC is
> > delayed. 

> Is ECC ready to be the default?
> My estimation is: It is not, and then we should switch the default to
> RSA3072 until it is.

I am concerned that such a default switch would break the compatiblity
to many running foreign implementations of OpenPGP. On my side I am not
using ECC for two reasons. The first is, the card does noit support the
curve I would prefer. The second an more important one is that some of
my communicationd partners use another implementations, or use Apps on
their mobiles for email which don't support ECC. Openkeychain, for
example, does not support ECC, or it did not. I didn't test it for a
while and did not look into it's documentation while writing this

> My estimation is based on:
> * There are some GNU/Linux LTS distros in use that still have GnuPG
> 2.0   (E.g. Jessie, but probably others. Could be examined)
> * Ed25519 and Curve25519 are not in an agreed standard (as 4880bis is
> not ready and probably won't be for a while) While I blieve it is
> okay to move forward, other implementations may not be because of the
> missing standard. Example: OpenPGPjs just has a young implementation
> (Dec 2018 saw a major security release version 4.3.0)

A default switch would not be a problem if it would not break the
compatiblity itself as the other key types are still there. But users
who did not dig deeper into this topic often use the defaults.

I think we should establish the standard for ECC in OpenPGP first and
then wait a while before switching to ECC as default.

Dirk Gottschalk
Ardennenstrasse 25
52076 Aachen, Germany

GPG: 4278 1FCA 035A 9A63 4166  CE11 7544 0AD9 4996 F380

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Gnupg-devel mailing list