| 1 |
commit: daad7b4d427ad88c919c1357fedd7068ea0b862f |
| 2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Mon Jul 2 20:01:44 2018 +0000 |
| 4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Jul 29 20:07:26 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=daad7b4d |
| 7 |
|
| 8 |
glep-0063: Change the recommended RSA key size to 2048 bits |
| 9 |
|
| 10 |
Change the recommended key size recommendation for RSA from 4096 bits |
| 11 |
to 2048 bits. Use of larger keys is unjustified due to negligible gain |
| 12 |
in security, and recommending RSA-4096 unnecessarily resulted |
| 13 |
in developers replacing their RSA-2048 keys for no good reason. |
| 14 |
|
| 15 |
glep-0063.rst | 20 +++++++++++++++----- |
| 16 |
1 file changed, 15 insertions(+), 5 deletions(-) |
| 17 |
|
| 18 |
diff --git a/glep-0063.rst b/glep-0063.rst |
| 19 |
index f4b49c2..fb09dd8 100644 |
| 20 |
--- a/glep-0063.rst |
| 21 |
+++ b/glep-0063.rst |
| 22 |
@@ -7,7 +7,7 @@ Author: Robin H. Johnson <robbat2@g.o>, |
| 23 |
Michał Górny <mgorny@g.o> |
| 24 |
Type: Standards Track |
| 25 |
Status: Final |
| 26 |
-Version: 1 |
| 27 |
+Version: 1.1 |
| 28 |
Created: 2013-02-18 |
| 29 |
Last-Modified: 2018-07-07 |
| 30 |
Post-History: 2013-11-10 |
| 31 |
@@ -25,6 +25,15 @@ Abstract |
| 32 |
This GLEP provides both a minimum requirement and a recommended set of |
| 33 |
OpenPGP key management policies for the Gentoo Linux distribution. |
| 34 |
|
| 35 |
+Changes |
| 36 |
+======= |
| 37 |
+ |
| 38 |
+v1.1 |
| 39 |
+ The recommended RSA key size has been changed from 4096 bits |
| 40 |
+ to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_. |
| 41 |
+ The larger recommendation was unjustified and resulted in people |
| 42 |
+ unnecessarily replacing their RSA-2048 keys. |
| 43 |
+ |
| 44 |
Motivation |
| 45 |
========== |
| 46 |
|
| 47 |
@@ -113,15 +122,13 @@ their primary key). |
| 48 |
# when making an OpenPGP certification, use a stronger digest than the default SHA1: |
| 49 |
cert-digest-algo SHA256 |
| 50 |
|
| 51 |
-2. Primary key type RSA, 4096 bits (OpenPGP v4 key format or later) |
| 52 |
- |
| 53 |
- This may require creating an entirely new key. |
| 54 |
+2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later) |
| 55 |
|
| 56 |
3. The signing subkey of EITHER: |
| 57 |
|
| 58 |
a. DSA 2048 bits exactly. |
| 59 |
|
| 60 |
- b. RSA 4096 bits exactly. |
| 61 |
+ b. RSA 2048 bits exactly. |
| 62 |
|
| 63 |
4. Key expiry: |
| 64 |
|
| 65 |
@@ -174,6 +181,9 @@ Much of the above was driven by the following: |
| 66 |
References |
| 67 |
========== |
| 68 |
|
| 69 |
+.. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096? |
| 70 |
+ (https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096) |
| 71 |
+ |
| 72 |
.. [#DEBIANGPG] Debian GPG documentation |
| 73 |
(https://wiki.debian.org/Keysigning) |
Archives