1024 key with large sub key

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Oct 2 22:12:22 CEST 2017


On Mon 2017-10-02 15:04:07 -0400, Robert J. Hansen wrote:
> Anyone want to point out what I'm missing?  I don't want to sound as if
> my mind is made up, but right now it truly seems to me the
> --enable-large-rsa option is a misfeature.

I agree that there's no good reason to enable it by default.

But in terms of being willing to make changes to the GnuPG option space
that break backward compatibility for some users in order to improve the
overall state of GnuPG crypto, removing --enable-large-rsa isn't
anywhere *close* to the top of my list.

Note that --enable-large-rsa still only allows creation 8Kibit RSA keys,
not 10Kibit or 16Kibit keys like those reported in the original bugs, so
it doesn't actually cater to the hard-core "keylength-fetishist" crowd.

         --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20171002/2936c211/attachment.sig>


More information about the Gnupg-users mailing list