Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Cc: robbat2@g.o, "Michał Górny" <mgorny@g.o>
Subject: [gentoo-dev] [PATCH 4/4] glep-0063: Change the recommended RSA key size to 2048 bits
Date: Tue, 03 Jul 2018 13:32:14
Message-Id: 20180703132957.29200-5-mgorny@gentoo.org
In Reply to: [gentoo-dev] [PATCH 0/4] GLEP 63: clean up, and reduce key size to RSA-2048 by "Michał Górny"
1 Change the recommended key size recommendation for RSA from 4096 bits
2 to 2048 bits. Use of larger keys is unjustified due to negligible gain
3 in security, and recommending RSA-4096 unnecessarily resulted
4 in developers replacing their RSA-2048 keys for no good reason.
5 ---
6 glep-0063.rst | 18 +++++++++++++++---
7 1 file changed, 15 insertions(+), 3 deletions(-)
8
9 diff --git a/glep-0063.rst b/glep-0063.rst
10 index 0082edd..f1512b3 100644
11 --- a/glep-0063.rst
12 +++ b/glep-0063.rst
13 @@ -6,7 +6,7 @@ Author: Robin H. Johnson <robbat2@g.o>,
14 Marissa Fischer <blogtodiffer@×××××.com>
15 Type: Standards Track
16 Status: Final
17 -Version: 1
18 +Version: 1.1
19 Created: 2013-02-18
20 Last-Modified: 2018-07-02
21 Post-History: 2013-11-10
22 @@ -24,6 +24,15 @@ Abstract
23 This GLEP provides both a minimum requirement and a recommended set of
24 OpenPGP key management policies for the Gentoo Linux distribution.
25
26 +Changes
27 +=======
28 +
29 +v1.1
30 + The recommended RSA key size has been changed from 4096 bits
31 + to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
32 + The larger recommendation was unjustified and resulted in people
33 + unnecessarily replacing their RSA-2048 keys.
34 +
35 Motivation
36 ==========
37
38 @@ -101,7 +110,7 @@ Recommendations
39 # when making an OpenPGP certification, use a stronger digest than the default SHA1:
40 cert-digest-algo SHA256
41
42 -2. Root key type RSA, 4096 bits (OpenPGP v4 key format or later)
43 +2. Root key type RSA, 2048 bits (OpenPGP v4 key format or later)
44
45 This may require creating an entirely new key.
46
47 @@ -109,7 +118,7 @@ Recommendations
48
49 a. DSA 2048 bits exactly.
50
51 - b. RSA 4096 bits exactly.
52 + b. RSA 2048 bits exactly.
53
54 4. Key expiry:
55
56 @@ -162,6 +171,9 @@ Much of the above was driven by the following:
57 References
58 ==========
59
60 +.. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096?
61 + (https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096)
62 +
63 .. [#DEBIANGPG] Debian GPG documentation
64 (https://wiki.debian.org/Keysigning)
65
66 --
67 2.18.0
Report Message
Find on MARC Find on Google Groups