HOW to upgrade: 2.0.22 --> 2.3.3 ???

Robert J. Hansen rjh at sixdemonbag.org
Fri Oct 4 23:17:05 CEST 2024


> I am not suggesting that world leaders should continue to use 1024 bit
> RSA to store their nuclear installation locations or sign their
> offical pronouncements.

"So for current OpenPGP usage, 1024 bit RSA is for all practical
purposes secure."

That was you, two messages ago.  Now you're saying 1024-bit RSA 
shouldn't be used for high-value secrets or signatures that need 
long-term confidence.  Thank you for conceding the point.

1024-bit RSA doesn't offer long-term security, and that makes it 
inappropriate for a lot of situations.  Stop using it now.  Migrate to 
something better before it's too late.

> I am merely pointing out that for 99.9999% of
> GPG users dropping the old key format provided no benefit with respect
> to key length.

It absolutely did, by reducing unnecessary features and the code 
necessary to support it.  GnuPG's mission has been to deliver 
high-quality implementations of RFC4880 and the S/MIME RFCs.  Every line 
of code that exists for RFC1991 support contributes nothing to GnuPG's 
mission while adding a new opportunity for exploitable bugs.

I personally want all RFC1991 support out.  If I need it, I know where I 
can download GnuPG 1.4.

> They could continue to use such keys indefinitely to
> generate new messages with no real risk.

Assuming they didn't need long-term secrecy, sure.  That's a big 
assumption to make.  Better to say "RSA-1024 is no longer believed to 
offer acceptable long-term security, please stop using it."




More information about the Gnupg-users mailing list