Problems using 10kbit keys in GnuPG instead of 4kbit keys

Werner Koch wk at gnupg.org
Tue Sep 10 11:07:12 CEST 2013


On Mon,  9 Sep 2013 21:41, pete at heypete.com said:

> Werner would change the hard-coded maximum keysize from the current
> 4096 to, say 8192 (or 15,360 or 16,384) bits so that users who desired

As of now I see no reason at all to lift this limit.  It is there for a
good reason, namely making crypti accessible to all people.

There are several problems with overlong encryption keys, to name just
two:

 - If you use an 8k encryption key you should also use an 8k primary
   certification key because that is the key which is used to keep the
   parts of an OpenPGP keyblob together.  Without that it is easy to
   slip in another encryption key.  Now, 8k RSA signatures are a pain in
   the registers.  It takes too long to verify the hundreds of
   signatures people have on their keyrings - even on fast machines.

 - Some MUA decrypt messages on the fly while you are browsing through
   all the new mails - if that takes too long due to the many 8k keys,
   it makes the MUA unusable.

But thank you, Ole, that you trust our coding capabilities more than the
strong math of an 2K RSA key.  I am not sure whether this is justified,
though.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list