FAQ change, final draft

Robert J. Hansen rjh at sixdemonbag.org
Mon Aug 11 19:18:33 CEST 2014 

A few weeks ago on -devel I made a proposal for a FAQ change.  So far 
I've received feedback from three people, all of it fairly positive, all 
suggesting mild changes.  The following represents a final draft, which 
I'm now presenting on -users to get the most visibility/feedback.  If 
the community approves, I'll be submitting this to Werner for inclusion 
into the FAQ.

=====

Q: Why does GnuPG default to 2048-bit RSA?
A: At the time the decision was made, 2048-bit RSA was thought to
    provide reasonable security for the next decade or more while still
    being compatible with the overwhelming majority of the OpenPGP
    ecosystem.

Q: Is that still the case?
A: Largely, yes.  According to NIST Special Publication 800-57,
    published in July 2012, 2048-bit RSA is believed safe until 2030.
    At present, no reputable cryptographer or research group has cast
    doubt on the safety of RSA-2048.  That said, many are suggesting
    shifting to larger keys, and GnuPG will be making such a shift in
    the near future.

Q: What do other groups have to say about 2048-bit RSA?
A: In 2014, the German Bundesnetzagentur fuer Elektrizitaet, Gas,
    Telekommunikation, Post und Eisenbahnen recommended using RSA-2048
    for long-term security in electronic signatures.

    In 2012, ECRYPT-II published their "Yearly Report on Algorithms
    and Keysizes" wherein they expressed their belief RSA-1776 will
    suffice until at least 2020, and RSA-2432 until 2030.

    In 2010, France's Agence Nationale de la Securite des Systems
    d'Information stated they had confidence in RSA-2048 until at
    least 2020.

Q: Is there a general recommendation that 3072-bit keys be used for
    new applications?
A: No, although some respected people and groups within the
    cryptographic community have made such recommendations.  Some
    even recommend 4096-bit keys.

Q: Will GnuPG ever support RSA-3072 or RSA-4096 by default?
A: Probably not.  The future is elliptical-curve cryptography,
    which will bring a level of safety comparable to RSA-16384.
    Every minute we spend arguing about whether we should change
    the defaults to RSA-3072 or more is one minute the shift to
    ECC is delayed.  Frankly, we think ECC is a really good idea
    and we'd like to see it deployed as soon as humanly possible.

Q: I think I need larger key sizes.
A: By all means, feel free to generate certificates with larger keys.
    GnuPG supports up to 4096-bit keys.

More information about the Gnupg-users mailing list