Can you clarify when data compression is used?

Robert J. Hansen rjh at sixdemonbag.org
Tue Feb 5 06:12:02 CET 2008


Kevin Hilton wrote:
> In the same vain, aren't keys sizes larger than 1024
> bits actually now recommended?

As I understand it, it's largely due to engineering concerns than
mathematical concerns.

The RFC which specifies the OpenPGP protocol first came out in 1998.  It
began to receive revisions almost immediately (the -bis series:
RFC2440bis1, RFC2440bis2, etc.).  These -bis series were meant as
previews of the next official RFC, whenever it would be published.

However, the original RFC remained canonical.  That specified DSA-1024.
 In order to closely follow the RFC, GnuPG left the default as DSA-1024.
 This was probably the right call to make for interoperability reasons.

As an example of what happens when people decide to move beyond the RFC,
look at PGP 7.0.  Management at PGP Security decided that Twofish was
the likely winner of the AES competition, and so they put Twofish into
PGP.  This put pressure on GnuPG to put Twofish into GnuPG, in order to
interoperate with PGP.

Twofish is almost entirely abandoned nowadays, but it still exists in
PGP and GnuPG.  Once a bad decision is made in engineering, the
engineers are stuck supporting it forever.  Take a look through the
archives sometime and see how many people have bitterly complained about
TIGER192 no longer being supported, despite the fact it was part of
GnuPG for about three and a half milliseconds.

I suspect--although I do not know--that a similar motivation drove
GnuPG's decision to leave DSA-1024 as the standard.

Now that RFC4880 has come out, supplanting RFC2440, I imagine the way is
clear to make all new keys DSA-2048 or DSA-3072.  After all, now it's
part of the standard.




More information about the Gnupg-users mailing list