1 |
commit: daad7b4d427ad88c919c1357fedd7068ea0b862f |
2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Jul 2 20:01:44 2018 +0000 |
4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jul 29 20:07:26 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=daad7b4d |
7 |
|
8 |
glep-0063: Change the recommended RSA key size to 2048 bits |
9 |
|
10 |
Change the recommended key size recommendation for RSA from 4096 bits |
11 |
to 2048 bits. Use of larger keys is unjustified due to negligible gain |
12 |
in security, and recommending RSA-4096 unnecessarily resulted |
13 |
in developers replacing their RSA-2048 keys for no good reason. |
14 |
|
15 |
glep-0063.rst | 20 +++++++++++++++----- |
16 |
1 file changed, 15 insertions(+), 5 deletions(-) |
17 |
|
18 |
diff --git a/glep-0063.rst b/glep-0063.rst |
19 |
index f4b49c2..fb09dd8 100644 |
20 |
--- a/glep-0063.rst |
21 |
+++ b/glep-0063.rst |
22 |
@@ -7,7 +7,7 @@ Author: Robin H. Johnson <robbat2@g.o>, |
23 |
Michał Górny <mgorny@g.o> |
24 |
Type: Standards Track |
25 |
Status: Final |
26 |
-Version: 1 |
27 |
+Version: 1.1 |
28 |
Created: 2013-02-18 |
29 |
Last-Modified: 2018-07-07 |
30 |
Post-History: 2013-11-10 |
31 |
@@ -25,6 +25,15 @@ Abstract |
32 |
This GLEP provides both a minimum requirement and a recommended set of |
33 |
OpenPGP key management policies for the Gentoo Linux distribution. |
34 |
|
35 |
+Changes |
36 |
+======= |
37 |
+ |
38 |
+v1.1 |
39 |
+ The recommended RSA key size has been changed from 4096 bits |
40 |
+ to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_. |
41 |
+ The larger recommendation was unjustified and resulted in people |
42 |
+ unnecessarily replacing their RSA-2048 keys. |
43 |
+ |
44 |
Motivation |
45 |
========== |
46 |
|
47 |
@@ -113,15 +122,13 @@ their primary key). |
48 |
# when making an OpenPGP certification, use a stronger digest than the default SHA1: |
49 |
cert-digest-algo SHA256 |
50 |
|
51 |
-2. Primary key type RSA, 4096 bits (OpenPGP v4 key format or later) |
52 |
- |
53 |
- This may require creating an entirely new key. |
54 |
+2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later) |
55 |
|
56 |
3. The signing subkey of EITHER: |
57 |
|
58 |
a. DSA 2048 bits exactly. |
59 |
|
60 |
- b. RSA 4096 bits exactly. |
61 |
+ b. RSA 2048 bits exactly. |
62 |
|
63 |
4. Key expiry: |
64 |
|
65 |
@@ -174,6 +181,9 @@ Much of the above was driven by the following: |
66 |
References |
67 |
========== |
68 |
|
69 |
+.. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096? |
70 |
+ (https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096) |
71 |
+ |
72 |
.. [#DEBIANGPG] Debian GPG documentation |
73 |
(https://wiki.debian.org/Keysigning) |