riseup.net OpenPGP Best Practices article

[Pete Stephenson]

On 6/24/2014 8:47 AM, Werner Koch wrote:
> On Tue, 24 Jun 2014 05:55, frase at frase.id.au said:
> 
>> rounds today.  Quite a lot of good info, especially regarding key
>> strength and expiry, and digest preferences.
> 
> Just for the records: _I_ do not consider the use of a 4096 bit RSA key
> and a preference for SHA-512 a best practice.  For a secure system it is
> important to make the system stronger and not parts of the system which
> will never be attacked in real life.  Granted, there are user with a
> need for non default algorithms, but those users have the resources to
> develop a security policy which fits their use case.

I also generally agree that the default key size is a sensible choice
for most users.

I would think that adversaries will not try breaking the crypto at all:
there's plenty of alternatives, from keyloggers to compelling the sender
or recipient (through legal means or otherwise) to decrypt the message,
that require considerably less resources. ObXKCD: http://xkcd.com/538/

That said, is there any particular reason for avoiding SHA-2?

There's been discussion in the past regarding some other OpenPGP
software not playing nicely with SHA-512, with recommendations to not
use SHA-512. Is that still an issue? I've not run into any issues, but
that's merely an anecdote.

Would SHA-256 be a better (in the context of being more compatible)
choice if one preferred using a non-SHA-1 hash?

> How does a help 4096 key help if I can send you an encrypted mail which
> will lock up your MUA until you kill it (unless your MUA has some kind
> of timeout mechanism).  There are more important things to be made
> stronger than the key size.

Absolutely. Obviously, using a too-weak key (e.g. 512-bit RSA) is a
problem, but key size is not an issue with the defaults.

Cheers!
-Pete