what are the sub keys

Robert J. Hansen rjh at sixdemonbag.org
Tue Mar 22 22:30:56 CET 2011

On 3/22/11 5:22 PM, Jerome Baum wrote:
> So considering  that the "smart card"  argument only makes  sense
> when I generate  on-card,  and considering  that  gpg  wouldn't offer
> RSA-4096 anyway in that case,  how does this make it a bad  idea to
> have RSA-4096 as the (recommended) default?

Simplicity.  Otherwise you get a ton of people screaming, "GnuPG only
lets me generate a 2K key on my smart card!  The default is *4*K!  Why
am I getting only half the bits that GnuPG thinks I need to be safe?!"

And yes, those questions would occur.  Lots.  In order to reduce
confusion, 2K keys seem to be the best bet.  They are safe enough for
the overwhelming majority of users, are the most compatible with
embedded devices, and cause the least confusion.

> Obviously, if  I am not using  a smart card  and doing other stuff
> on a device  that can't cope  with RSA-4096  keys, then  I am
> probably smart enough to ignore the default, right?

This is a rudely-phrased question.  I either have to grant that you are,
or have to say that you're not smart enough to ignore the default.

I am going to ignore this question and tell you: unless you need 30+
years of security, use the defaults.  They're defaults for a reason:
they're perfectly sufficient for the overwhelming majority of uses.
Stop trying to justify putting an additional foot of height on your
10,000-foot fence, and start thinking about the folks who are trying to
tunnel underneath it.

And honestly, that's all that I have to say on this.

More information about the Gnupg-users mailing list