2048 or 4096 for new keys? aka defaults vs. Debian

[Robert J. Hansen]

> Often there is also value in breaking crypto so that the targeted
> crypto users don't know it has been broken and thus continue to use
> it (the algorithm and/or the specific key). If a big government
> organization (take your pick) had broken algorithm/keysize xyz, would
> they tell anybody?

Hard to say.  Quite possibly, yes, they'd tell the entire world.  Take
AES as an example: if AES had a serious flaw that could be exploited to
recover ciphertext, it's quite possible the people who discovered it
would decide the risk to the world's financial systems from keeping it
secret far outweighed any benefit that might be had.

As a real-world example, look at the history of SHA.  The original SHA
(just called SHA, although sometimes [inaccurately] called SHA-0) was
designed by the NSA and published as a government standard in 1993.  In
1995 the NSA announced there were flaws in SHA and issued a new
standard, SHA-1, that addressed these problems.  The NSA never went
public with the precise vulnerability in SHA that caused them to develop
and release SHA-1, but they were quite open and public about SHA being
insecure and needing to be replaced as soon as possible.