1 |
Change the recommended key size recommendation for RSA from 4096 bits |
2 |
to 2048 bits. Use of larger keys is unjustified due to negligible gain |
3 |
in security, and recommending RSA-4096 unnecessarily resulted |
4 |
in developers replacing their RSA-2048 keys for no good reason. |
5 |
--- |
6 |
glep-0063.rst | 18 +++++++++++++++--- |
7 |
1 file changed, 15 insertions(+), 3 deletions(-) |
8 |
|
9 |
diff --git a/glep-0063.rst b/glep-0063.rst |
10 |
index 4c22fbe..6dc4ce5 100644 |
11 |
--- a/glep-0063.rst |
12 |
+++ b/glep-0063.rst |
13 |
@@ -6,7 +6,7 @@ Author: Robin H. Johnson <robbat2@g.o>, |
14 |
Marissa Fischer <blogtodiffer@×××××.com> |
15 |
Type: Standards Track |
16 |
Status: Final |
17 |
-Version: 1 |
18 |
+Version: 1.1 |
19 |
Created: 2013-02-18 |
20 |
Last-Modified: 2018-07-04 |
21 |
Post-History: 2013-11-10 |
22 |
@@ -24,6 +24,15 @@ Abstract |
23 |
This GLEP provides both a minimum requirement and a recommended set of |
24 |
OpenPGP key management policies for the Gentoo Linux distribution. |
25 |
|
26 |
+Changes |
27 |
+======= |
28 |
+ |
29 |
+v1.1 |
30 |
+ The recommended RSA key size has been changed from 4096 bits |
31 |
+ to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_. |
32 |
+ The larger recommendation was unjustified and resulted in people |
33 |
+ unnecessarily replacing their RSA-2048 keys. |
34 |
+ |
35 |
Motivation |
36 |
========== |
37 |
|
38 |
@@ -109,7 +118,7 @@ their primary key). |
39 |
# when making an OpenPGP certification, use a stronger digest than the default SHA1: |
40 |
cert-digest-algo SHA256 |
41 |
|
42 |
-2. Primary key type RSA, 4096 bits (OpenPGP v4 key format or later) |
43 |
+2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later) |
44 |
|
45 |
This may require creating an entirely new key. |
46 |
|
47 |
@@ -117,7 +126,7 @@ their primary key). |
48 |
|
49 |
a. DSA 2048 bits exactly. |
50 |
|
51 |
- b. RSA 4096 bits exactly. |
52 |
+ b. RSA 2048 bits exactly. |
53 |
|
54 |
4. Key expiry: |
55 |
|
56 |
@@ -170,6 +179,9 @@ Much of the above was driven by the following: |
57 |
References |
58 |
========== |
59 |
|
60 |
+.. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096? |
61 |
+ (https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096) |
62 |
+ |
63 |
.. [#DEBIANGPG] Debian GPG documentation |
64 |
(https://wiki.debian.org/Keysigning) |
65 |
|
66 |
-- |
67 |
2.18.0 |