FAQ October 2019 update

Werner Koch wk at gnupg.org
Tue Oct 15 22:44:29 CEST 2019


On Tue, 15 Oct 2019 15:17, Robert J. Hansen said:

> * Every reference to the SKS keyserver network now points to
> keys.openpgp.org.  Reason: the SKS attacks a few months ago.

I have to object against this change.  The SKS server network is still
useful and definitely more useful than an non-matured and  centralized
keyserver.  I am okay with removing explicit reference to the SKS
network for now but suggesting the use of that specific keyserver is a no-go.

> * All references to 2048-bit crypto are updated to refer to 3072-bit
> crypto.  Reason: GnuPG now defaults to 3072-bit RSA.

Okay.   But this

  +your certificate uses 2048-bit keys we recommend retiring them and
  +migrating to a new keypair of at least 3072 bits length.  You can do

is a no-go because we will have a hard to time to convice people that
this is just a geek suggestion and that for almost all general use of
gpg the existsing keys are still fine.  Actually 2k keys are still
allowed in Germany for restricted communication and there is no need for
an immediate rush to 3k.

I also wonder why you removed this

  -If you need more security than RSA-2048 offers, the way to go would be
  -to switch to elliptical curve cryptography — not to continue using
  -RSA.

GnuPG's future default is already ECC and some hosted mail services
are already creating such keys.  GnuPG will switch to that with 2.3
which is not that far away.

> (Note: I just committed the FAQ changes.  It may take a couple of days
> for the documentation on the website to be regenerated.)

That is a matter of minutes.  I only had a brief look at it but I can't
see that your changes are subject to frequently asked questions here.
The GnuPG FAQ is for all GnuPG users and should not again start reflect
the view of some crypto geeks or give advises which will lead only to
trouble.

I am sorry for having to write these harsh comments: In contrast to
discussions on the mailing list the FAQ reflects the opinion of the
GnuPG project and as such substantial changes need to be discussed
first.  I would suggest to create a branch and revert the changes
in master until an agreement has been reached.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20191015/0e28fb5b/attachment.sig>


More information about the Gnupg-users mailing list