RSA key size restriction?

[David Shaw]

On Wed, Dec 10, 2003 at 09:52:11PM +0100, Malte Gell wrote:
> Am Dienstag, 9. Dezember 2003 09:18 schrieb Ludwig Hügelschäfer:
> > Hello,
> >
> >  > Why is the RSA support in GnuPG limited keysizes <= 4096 bits?
> >
> > I think, one should limit the size to reasonable sizes.
> 
> What is a reasonable size? I think a 4096 bit RSA key provides security 
> that may be far beyond what most people need. But think of a 30 year 
> old human rights activist in a dictatorship, "they" may use force to 
> get the information they want, but it may be possible they just collect 
> every encrypted communication and wait until it's feasible to reveal 
> the information and so the life of this person can be endangered 20, 30 
> years later. Can you guarantee that a 4096 bit key will still be safe 
> in 3,4 decades from now? With a 8k or even 16k key the probability 
> would certainly be much higher.
> Though, only very few people may need such security for them it'd be 
> nice to be sure that their information are kept secret as long as they 
> live and beyond... Maybe, such key sizes would be a nice extension for 
> the --expert option :-)

Remember that hiding it behind --expert (and a "Don't do this!"
message) still didn't stop people from generating Elgamal sign+encrypt
keys.  If the key sizes are available under --expert, then people will
inevitably generate them, thinking "bigger must be better".  However,
bigger isn't always better: very large keys are slower, problematic
for signatures (a 16k RSA clear signature is 45 lines long!), and
terrible for compatibility with anything other than GnuPG or hacked
versions of PGP.

Again, if someone generates such a key, GnuPG will work with it.  I
still don't see the need to make it easy to generate them though,
especially given that if someone wanted it badly enough, they can
remove the line of code that prevents it themselves.

David