riseup.net OpenPGP Best Practices article

David Shaw dshaw at jabberwocky.com
Fri Jun 27 21:44:47 CEST 2014

On Jun 27, 2014, at 6:45 AM, Viktar Siarheichyk <vics at eq.by> wrote:

> On 26.06.2014 23:28, Paul R. Ramer wrote:
>> On June 26, 2014 8:26:16 AM PDT, Daniel Kahn Gillmor
>> <dkg at fifthhorseman.net> wrote:
>>> As for arguments about use on smartcards -- if you plan to get a 
>>> smartcard, and you have a primary key that is too large for it, you
>>> can always generate and publish new subkeys that will fit in your 
>>> smartcard. If that's the tradeoff that seems the most secure for
>>> you, that's fine, and the fact that you were using stronger keys in
>>> your non-smartcard implementation doesn't hurt you at all.
>>> Smartcards are not a good reason to object to larger keysizes for
>>> people who don't use smartcards.
>> Actually, it is for those of us who prefer smartcards.  I was once
>> newbie trying to use a smartcard. Repeated emphasis on having only a
>> 4k key can create the impression that a smartcard is not strong
>> enough, that it is weaker because it can only go up to 3072 bits
>> (depending on the card).
>> The reason for me to have a smartcard was to physically separate the
>> key from the computer.  Using a key that is too large for the
>> smartcard does not fit my purpose for having one.
> I got an FSFE Fellowhip card and an OpenPGP SmartCard V2 from
> kernelconcepts.de (both were received early this year) and they both
> happily support 4096-bit keys. I do not know about YubiKey NEO "an
> experimental OpenPGP applet" though.

My understanding is that the YubiKey Neo applet supports up to 2048 bit RSA.  Thus there are some keys that will work with the V2 SmartCard but not on the Neo.

I do admire the Neo form factor though.


More information about the Gnupg-users mailing list