1024 key with large sub key

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Oct 2 20:39:39 CEST 2017

On Mon 2017-10-02 10:46:48 -0400, Robert J. Hansen wrote:
>> In batch mode it can go higher. 
> I was about to disagree with you when I discovered the
> --enable-large-rsa flag.
> When did this get introduced?  Why?  What possible use case is there for
> this?

It was introduced in 2014 in git commit
534e2876acc05f9f8d9b54c18511fe768d77dfb5 on STABLE-BRANCH-1-4, which was
subsequently ported to master.

see also https://bugs.debian.org/739424 and https://dev.gnupg.org/T1732

here's the commit log:

commit 534e2876acc05f9f8d9b54c18511fe768d77dfb5
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Fri Oct 3 12:01:11 2014 -0400

    gpg: Add build and runtime support for larger RSA keys
    * configure.ac: Added --enable-large-secmem option.
    * g10/options.h: Add opt.flags.large_rsa.
    * g10/gpg.c: Contingent on configure option: adjust secmem size,
    add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
    * g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
    * doc/gpg.texi: Document --enable-large-rsa.
    Some older implementations built and used RSA keys up to 16Kib, but
    the larger secret keys now fail when used by more recent GnuPG, due to
    secure memory limitations.
    Building with ./configure --enable-large-secmem will make gpg
    capable of working with those secret keys, as well as permitting the
    use of a new gpg option --enable-large-rsa, which let gpg generate RSA
    keys up to 8Kib when used with --batch --gen-key.
    Debian-bug-id: 739424
    Minor edits by wk.
    GnuPG-bug-id: 1732


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20171002/508e4a3e/attachment.sig>

More information about the Gnupg-users mailing list