SSH Agent keys >4096 bit?

Milo gnupg at
Sat May 5 13:46:54 CEST 2012

On 05/05/2012 01:09 PM, Peter Lebbing wrote:
> On 05/05/12 12:49, Milo wrote:
>> 1) You are responding to citation regarding symmetric crypto with
>> widely used key length.
> (...)
>>>> One more time - this is not up to you or software authors to
>>>> decide what's the value behind encrypted data. Even if reason of
>>>> encrypting it is silly.
>>> I don't think it's up to you to decide that the GnuPG authors need
>>> to officially support something they find silly.
>> This is open discussion about free software's value and (expected by 
>> some) functionality. Discussion and judging on value of private data
>> is something totally different you know.
> Please read these three quotes again carefully. You are saying you
> yourself are off-topic; discussing something totally different. I agree.

No. Discussion was at some point about reasons of using strong crypto.
And at some point idea that it's not worth to use it against data which
has no value appeared. My point is you are not in the position to say
what's the value of the data someone is encrypting. You weren't reading
carefully enough to see this and you are suggesting me that I'm trying
to force GnuPG authors to do something which is - almost offensive -
rubbish. This is discussion Peter, nothing else.

>> I'm not forgetting about this. But you are forgetting you are using 
>> symmetric crypto with 256-bit key length (e.g. HTTPS) and you don't
>> have any problem with this "security overkill" (but yes - symmetric
>> ciphers are computationally to use cheaper).
> GnuPG should include 8k RSA because I didn't go through the trouble of
> disabling AES256 in my browser, risking breakage when an oddball
> webserver administrator disables all algorithms but AES256?

In overall I agree with this but "disabling all stuff but AES256" is
silly and overdrawn try to devaluate my statement.

> You also indicate yourself where this goes askew: RSA 8k is immensely
> more CPU intensive than AES256 v AES128.

If you can't afford this "immense" expense - don't use 8k RSA.

>>> It's an interesting take on things, that the GnuPG authors somehow
>>> think your data must be invaluable, because they don't offer 8k
>>> RSA.
>> This is your flawed conclusion.
> I was replying to:
>>> One more time - this is not up to you or software authors to decide
>>> what's the value behind encrypted data.
> I read that as: GnuPG authors decide your data is not valuable enough
> for RSA 8k. I'm unsure how else to read it, but it certainly isn't /my/
> conclusion, it's what I read as /your/ conclusion. Please don't make it
> my conclusion, I would have to severely disagree with myself, and I hate
> it when that happens.

You are following idea that people who are using strong crypto to things
which are in your opinion worthless aren't serious.

Looks like at best you replied to piece of thread without knowing its

There is a difference between your overdrawn (again) interpretation that
all this data is without value in eyes of GnuPG authors. I'm just saying
that it's not for them do evaluate value of this data. Simple as this.

And yes - by using extremely cheap rhetoric tricks you made this opinion
yours. I'm really sorry because of you but this is not my problem.

> A large error I made: I wrote invaluable when I meant not valuable at
> all. Is this the source of the confusion?

As above.

> Peter.

At some point discussion was quite constructive but it's not anymore.


More information about the Gnupg-users mailing list