Should I be using gpg or gpg2?
Robert J. Hansen
rjh at sixdemonbag.org
Mon Sep 28 22:26:35 CEST 2015
> Most od 2.x "improvements" have little to do with security.
Per NIST, RSA-2048 is believed safe until 2030. That means that if you
need to keep secrets longer than fifteen years, you need to move away
from RSA completely. RSA-3072 is not all that much stronger than
RSA-2048, and RSA-4096 adds even less.
The future is clear: 512-bit ECC, which is about as resistant to
brute-forcing as AES256.
GnuPG 2.1 has it. GnuPG 1.4 *will never get it*. That means each day
that moves forward is one day closer to GnuPG 1.4's obsolescence.
Other major improvements: the codebase is cleaner. There's more
separation of code. Most crypto operations are now handled by
libgcrypt, which is a great move. The more libgcrypt gets used by
outside people, the better a chance we have of spotting bugs before they
There are a lot of important improvements in 2.0. I'm not saying I'm a
fan of all the decisions the development team made, but on balance I
think it's a much better product than 1.4 ever was.
> I can't offer any conclusive evidence for this, but it is my
> honest estimate...
If your name were Vint Cerf, Admiral Mike Rogers, Whit Diffie, or
someone of that caliber -- then yes, I might be able to look at who you
are, your professional history, your accomplishments, and come to a
reasoned evaluation of how much credence I should lend to your honest
estimates. But I don't know you. I don't know your reputation, I don't
know who's worked with you that will vouch for you... nothing. Without
that, why should I consider your estimates to be any more reliable than
a Ouija board?
More information about the Gnupg-users