Defaults

Damien Goutte-Gattat dgouttegattat at incenp.org
Tue Mar 17 23:53:42 CET 2015


On 03/17/2015 08:44 PM, Robert J. Hansen wrote:
> Given that 2.1 introduces a lot of new capabilities (mostly with respect
> to ECC), I think now, early on in the 2.1 series, would be a good time
> to discuss changing the defaults for newly-generated certificates.

Some of the defaults you propose are already there. If I look at a 
freshly generated key pair with GnuPG 2.1, the default preferred 
algorithms are:

Cipher: AES256, AES192, AES, 3DES
Digest: SHA256, SHA384, SHA512, SHA224, SHA1

So, AES256 is already the default symmetric cipher (CAST5 and IDEA are 
not even in the list and must both be explicitly requested by the user), 
and SHA256 is already the default hash algorithm.


> 	* Use SHA256 for RSA-3072/-4096 signatures and SHA512
> 	  for Brainpool-512

Do you mean signatures in general, or key signatures (certifications)? 
For key signatures, SHA-1 is still the default for RSA keys, but 
signatures on (EC)DSA keys will use up to SHA-512 depending on the key 
size (SHA-256 for a Brainpool-256 key, SHA-512 for a BrainpoolP512 key).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150317/bff28409/attachment.sig>


More information about the Gnupg-users mailing list