FAQ: seeking consensus

Robert J. Hansen rjh at sixdemonbag.org
Thu Oct 17 21:18:07 CEST 2019

Unless there's no objection, I'll be making the edit to PGPNET's mailing
list address, as that seems uncontroversial.

I'd like to get a sense of the community on the other two changes I
made.  Werner and I disagree on certain things (which is understandable
and okay!), and I'd really like to get a sense of where the community lies.

Obviously, Werner gets the final decision.  But I do think community
feedback is essential, so please speak up!


1.  How should we handle the SKS keyserver attacks?

One school of thought says "SKS is tremendously diminished as a
resource, because using it can wedge older GnuPG installations and we
can't make people upgrade.  We should recommend people use other methods
than SKS."  If you think this is correct, please let me know what you
think the alternate method should be.

Another says, "with a recent GnuPG release SKS may be used productively
and we should keep the current advice."

Is there another solution I'm overlooking?  Please don't think I'm
limiting the discussion to just those two.  If you've got a third way
(or a fourth, or a fifth) I'd love to hear them.


2.  What should be done about the FAQ's guidance to use RSA-2048?

First, I think everyone agrees it should be removed, as it's just not
accurate any more; we've defaulted to RSA-3072 for some time.

One option is, "remove it and update the text to refer to RSA-3072, our
current default."

Another is, "remove it and update the text to refer to ECC, which will
be our next default."  (If so: which curve and which lengths do you
think should be the default?)

(Again, third, fourth, and fifth ways are welcomed.)


3.  What should we advise people about their existing RSA-2048 keys?

"There's no rush, but migrating them to [whatever our new guidance is]
at a deliberate pace is advised, since RSA-2048 isn't expected to be
generally safe past 2030"


"Your existing RSA-2048 keys are fine, you don't need to take any action"

(Again, third, fourth, and fifth ways are welcomed.)

More information about the Gnupg-users mailing list