RSA 4096 ridiculous?
brian at briansmith.org
Wed Jun 20 14:32:03 CEST 2007
Werner Koch wrote:
> > It took me infinitely longer to type the pass-phrase for the signing
> > than it took to actually create the sigs which seemed to be almost
> > instantaneous. Timing the signing is sort of ridiculous
> That is true for your desktop box. However, for small
> devices like PDAs a 4k RSA key is a lot of work. The problem
> might not be the generation or verification of a single
> signature but some of use have hundreds of signatures on
> their key and checking them all will take a lot of time.
The software only needs to verify the signatures that are going to
affect the trust of the key. For a lot of people this will usually be a
very small number (0 or 1). Even if a key has hundreds of signatures, it
is unlikely that the user has (a) installed those hundreds of keys onto
the device, and (b) granted key-signing trust to more than a few of
None of the mobile phones I tried had no trouble using RSA 4096 to
encrypt or decrypt a 16 byte key. If the phone has a JVM and/or a web
browser, RSA 4096 and AES should be no problem.
More information about the Gnupg-users