Defaults
Damien Goutte-Gattat
dgouttegattat at incenp.org
Tue Mar 17 23:53:42 CET 2015
On 03/17/2015 08:44 PM, Robert J. Hansen wrote:
> Given that 2.1 introduces a lot of new capabilities (mostly with respect
> to ECC), I think now, early on in the 2.1 series, would be a good time
> to discuss changing the defaults for newly-generated certificates.
Some of the defaults you propose are already there. If I look at a
freshly generated key pair with GnuPG 2.1, the default preferred
algorithms are:
Cipher: AES256, AES192, AES, 3DES
Digest: SHA256, SHA384, SHA512, SHA224, SHA1
So, AES256 is already the default symmetric cipher (CAST5 and IDEA are
not even in the list and must both be explicitly requested by the user),
and SHA256 is already the default hash algorithm.
> * Use SHA256 for RSA-3072/-4096 signatures and SHA512
> for Brainpool-512
Do you mean signatures in general, or key signatures (certifications)?
For key signatures, SHA-1 is still the default for RSA keys, but
signatures on (EC)DSA keys will use up to SHA-512 depending on the key
size (SHA-256 for a Brainpool-256 key, SHA-512 for a BrainpoolP512 key).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150317/bff28409/attachment.sig>
More information about the Gnupg-users
mailing list