what are the sub keys
Robert J. Hansen
rjh at sixdemonbag.org
Tue Mar 22 22:30:56 CET 2011
On 3/22/11 5:22 PM, Jerome Baum wrote:
> So considering that the "smart card" argument only makes sense
> when I generate on-card, and considering that gpg wouldn't offer
> RSA-4096 anyway in that case, how does this make it a bad idea to
> have RSA-4096 as the (recommended) default?
Simplicity. Otherwise you get a ton of people screaming, "GnuPG only
lets me generate a 2K key on my smart card! The default is *4*K! Why
am I getting only half the bits that GnuPG thinks I need to be safe?!"
And yes, those questions would occur. Lots. In order to reduce
confusion, 2K keys seem to be the best bet. They are safe enough for
the overwhelming majority of users, are the most compatible with
embedded devices, and cause the least confusion.
> Obviously, if I am not using a smart card and doing other stuff
> on a device that can't cope with RSA-4096 keys, then I am
> probably smart enough to ignore the default, right?
This is a rudely-phrased question. I either have to grant that you are,
or have to say that you're not smart enough to ignore the default.
I am going to ignore this question and tell you: unless you need 30+
years of security, use the defaults. They're defaults for a reason:
they're perfectly sufficient for the overwhelming majority of uses.
Stop trying to justify putting an additional foot of height on your
10,000-foot fence, and start thinking about the folks who are trying to
tunnel underneath it.
And honestly, that's all that I have to say on this.
More information about the Gnupg-users