SSH Agent keys >4096 bit?

Peter Lebbing peter at
Sat May 5 13:09:48 CEST 2012

On 05/05/12 12:49, Milo wrote:
> 1) You are responding to citation regarding symmetric crypto with
> widely used key length.

Well it's not my fault someone else went off-topic is it? If you are
here to persuade the GnuPG authors to include AES256 you're too late.

I think you can perfectly discern what message I was intending to get

> 2) Proponents of approach you are commenting on gave some arguments
> here already. If not sure check thread and other sources.

I am very well aware of that. They don't convince, because they don't
tackle the problem of the weakest link.

>>> One more time - this is not up to you or software authors to
>>> decide what's the value behind encrypted data. Even if reason of
>>> encrypting it is silly.
>> I don't think it's up to you to decide that the GnuPG authors need
>> to officially support something they find silly.
> This is open discussion about free software's value and (expected by 
> some) functionality. Discussion and judging on value of private data
> is something totally different you know.

Please read these three quotes again carefully. You are saying you
yourself are off-topic; discussing something totally different. I agree.

> I'm not forgetting about this. But you are forgetting you are using 
> symmetric crypto with 256-bit key length (e.g. HTTPS) and you don't
> have any problem with this "security overkill" (but yes - symmetric
> ciphers are computationally to use cheaper).

GnuPG should include 8k RSA because I didn't go through the trouble of
disabling AES256 in my browser, risking breakage when an oddball
webserver administrator disables all algorithms but AES256?

You also indicate yourself where this goes askew: RSA 8k is immensely
more CPU intensive than AES256 v AES128.

>> It's an interesting take on things, that the GnuPG authors somehow
>> think your data must be invaluable, because they don't offer 8k
>> RSA.
> This is your flawed conclusion.

I was replying to:
>> One more time - this is not up to you or software authors to decide
>> what's the value behind encrypted data.

I read that as: GnuPG authors decide your data is not valuable enough
for RSA 8k. I'm unsure how else to read it, but it certainly isn't /my/
conclusion, it's what I read as /your/ conclusion. Please don't make it
my conclusion, I would have to severely disagree with myself, and I hate
it when that happens.

A large error I made: I wrote invaluable when I meant not valuable at
all. Is this the source of the confusion?


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at

More information about the Gnupg-users mailing list