Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Cc: robbat2@g.o, "Michał Górny" <mgorny@g.o>
Subject: [gentoo-dev] [PATCH v5 07/16] glep-0063: Change the recommended RSA key size to 2048 bits
Date: Sun, 08 Jul 2018 18:42:23
Message-Id: 20180708183902.30367-8-mgorny@gentoo.org
In Reply to: [gentoo-dev] [PATCH v5 00/16] GLEP 63, once again by "Michał Górny"
1 Change the recommended key size recommendation for RSA from 4096 bits
2 to 2048 bits. Use of larger keys is unjustified due to negligible gain
3 in security, and recommending RSA-4096 unnecessarily resulted
4 in developers replacing their RSA-2048 keys for no good reason.
5 ---
6 glep-0063.rst | 20 +++++++++++++++-----
7 1 file changed, 15 insertions(+), 5 deletions(-)
8
9 diff --git a/glep-0063.rst b/glep-0063.rst
10 index f4b49c2..fb09dd8 100644
11 --- a/glep-0063.rst
12 +++ b/glep-0063.rst
13 @@ -7,7 +7,7 @@ Author: Robin H. Johnson <robbat2@g.o>,
14 Michał Górny <mgorny@g.o>
15 Type: Standards Track
16 Status: Final
17 -Version: 1
18 +Version: 1.1
19 Created: 2013-02-18
20 Last-Modified: 2018-07-07
21 Post-History: 2013-11-10
22 @@ -25,6 +25,15 @@ Abstract
23 This GLEP provides both a minimum requirement and a recommended set of
24 OpenPGP key management policies for the Gentoo Linux distribution.
25
26 +Changes
27 +=======
28 +
29 +v1.1
30 + The recommended RSA key size has been changed from 4096 bits
31 + to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
32 + The larger recommendation was unjustified and resulted in people
33 + unnecessarily replacing their RSA-2048 keys.
34 +
35 Motivation
36 ==========
37
38 @@ -113,15 +122,13 @@ their primary key).
39 # when making an OpenPGP certification, use a stronger digest than the default SHA1:
40 cert-digest-algo SHA256
41
42 -2. Primary key type RSA, 4096 bits (OpenPGP v4 key format or later)
43 -
44 - This may require creating an entirely new key.
45 +2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later)
46
47 3. The signing subkey of EITHER:
48
49 a. DSA 2048 bits exactly.
50
51 - b. RSA 4096 bits exactly.
52 + b. RSA 2048 bits exactly.
53
54 4. Key expiry:
55
56 @@ -174,6 +181,9 @@ Much of the above was driven by the following:
57 References
58 ==========
59
60 +.. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096?
61 + (https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096)
62 +
63 .. [#DEBIANGPG] Debian GPG documentation
64 (https://wiki.debian.org/Keysigning)
65
66 --
67 2.18.0
Report Message
Find on MARC Find on Google Groups