Draft of nine new FAQ questions

David Shaw dshaw at jabberwocky.com
Wed May 23 23:40:03 CEST 2012 

On May 23, 2012, at 4:45 PM, Robert J. Hansen wrote:

> I don't want to seem argumentative (especially because I haven't looked
> at the RFC lately), but I was under the impression the RFC was mostly
> silent on the subject of algorithms and key sizes -- DSA being a MUST
> algorithm, but little guidance beyond that.  Am I in error?

The fact that RSA can have different key sizes is clearly stated, since you need that information to interoperate, and that's what I was referring to.  I don't mean to say that one of the several reasons GnuPG supports 4096-bit keys is because the OpenPGP spec says they are better.  I mean to say that one of the several reasons GnuPG supports 4096-bit keys is because the OpenPGP spec says they *exist* (there is some implementation art here - we don't support 8192-bit keys even though they obviously exist as well).

The way you stated it in the revised FAQ covers this very well.

The standard is indeed mostly silent on the topic on why you would *want* to pick a particular key size over a different key size.  That is appropriate for a message format document - it's not really taking sides.  Pretty much all it says is to be careful and notes that 4096 was the common limit at publication time:

 * OpenPGP does not put limits on the size of public keys.  However,
       larger keys are not necessarily better keys.  Larger keys take
       more computation time to use, and this can quickly become
       impractical.  Different OpenPGP implementations may also use
       different upper bounds for public key sizes, and so care should
       be taken when choosing sizes to maintain interoperability.  As of
       2007 most implementations have an upper bound of 4096 bits.

>> For #10, it might be worth mentioning something about the use of
>> different hash lengths (q) for the different DSA sizes.  The two sort
>> of go hand in hand.  Or for that matter, perhaps a question #11 "How
>> come my signatures from my 2048-bit DSA key use a different hash than
>> those from my 1024-bit DSA key?" would be interesting.
> 
> Added.

Excellent.  One note on the new text - it states that 2048-bit DSA keys use a 224-bit hash.  In fact, a 2048-bit DSA key can use either 224 or 256-bit hashes.  GnuPG uses 256 here (but will of course accept a 224 generated elsewhere), so we're either using 160 or 256 unless someone forces 224 by picking an odd DSA key size like 1536.

David

More information about the Gnupg-users mailing list