Daniel Kahn Gillmor dkg at
Tue Mar 17 23:53:48 CET 2015

On Tue 2015-03-17 18:37:40 -0400, Robert J. Hansen wrote:
>> I agree that defaulting to brainpool-512 right now would be a
>> mistake.
>> Defaulting to RSA 3072 seems reasonable to me, though.
> I think it's best to minimize the number of times we change the
> defaults.  If we change them too often it causes users to wonder if
> there's some weakness in OpenPGP -- after all, why else would we need to
> constantly play catch-up?  (Note that I don't agree with this; I just
> understand it.)

by this argument, you should have pushed for RSA 3072 during the last
defaults change, since it would have lasted longer than 2048 ;)

> So if we're looking at a situation where we think that within the next
> five years we'll want to make ECC the default, I think it would be best
> to get that option out in front of users now.  Default to RSA-3072,
> sure, but let's get users accustomed to seeing ECC as an option so that
> when we migrate fully to ECC-by-default nobody gets surprised.

Except that by the time we're ready to adopt ECC by default we may very
well want to use Goldilocks (Hamburg's 448-bit curve), since that seems
to be the high-strength curve that the CFRG is heading toward (yes,
goldilocks is not yet specified for OpenPGP; we'd need to do that

Brainpool-512 is incompatible with some of the other work going on in
the OpenPGP ecosystem (e.g. yahoo and google's work on the e2e webmail
app, which supports P-256 and P-512).

At any rate, changes are afoot, and i don't think we should be afraid to
update the defaults if we think a new set is reasonable.


More information about the Gnupg-users mailing list