1 |
>>>>> On Mon, 11 Nov 2013, Robin H Johnson wrote: |
2 |
|
3 |
> GLEP: xx |
4 |
> Title: Gentoo GPG key policies |
5 |
|
6 |
Looks all good to me, except for one point: |
7 |
|
8 |
> Recommendations: |
9 |
> ---------------- |
10 |
|
11 |
> 3. Dedicated signing subkey of EITHER: |
12 |
|
13 |
> 3.1. DSA 2048 bits exactly. |
14 |
|
15 |
> 3.2. RSA 4096 bits exactly. |
16 |
|
17 |
Isn't it overkill to use 4096 bits for the signing subkey? I'd expect |
18 |
that the level of protection of the keys themselves in a typical |
19 |
developer's environment is far from being a match for this. (Do all |
20 |
devs use a machine for signing that is isolated from the internet? |
21 |
Or use a smartcard, at least?) |
22 |
|
23 |
Also 4096 bits are generally not supported by smartcards. For example, |
24 |
the OpenPGP card (see http://www.g10code.de/p-card.html) in its newest |
25 |
version supports RSA up to 3072 bits only. |
26 |
|
27 |
The following XKCD comic summarises the issue quite well. :-) |
28 |
http://xkcd.com/538/ |
29 |
|
30 |
Ulrich |