diff options
author | Michał Górny <mgorny@gentoo.org> | 2018-07-02 22:01:44 +0200 |
---|---|---|
committer | Michał Górny <mgorny@gentoo.org> | 2018-07-29 22:07:26 +0200 |
commit | daad7b4d427ad88c919c1357fedd7068ea0b862f (patch) | |
tree | ce436e600be17ef06609034f7fc5e337290415ce /glep-0063.rst | |
parent | glep-0063: Explain minimal & recommended sections (diff) | |
download | glep-daad7b4d427ad88c919c1357fedd7068ea0b862f.tar.gz glep-daad7b4d427ad88c919c1357fedd7068ea0b862f.tar.bz2 glep-daad7b4d427ad88c919c1357fedd7068ea0b862f.zip |
glep-0063: Change the recommended RSA key size to 2048 bits
Change the recommended key size recommendation for RSA from 4096 bits
to 2048 bits. Use of larger keys is unjustified due to negligible gain
in security, and recommending RSA-4096 unnecessarily resulted
in developers replacing their RSA-2048 keys for no good reason.
Diffstat (limited to 'glep-0063.rst')
-rw-r--r-- | glep-0063.rst | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/glep-0063.rst b/glep-0063.rst index f4b49c2..fb09dd8 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -7,7 +7,7 @@ Author: Robin H. Johnson <robbat2@gentoo.org>, Michał Górny <mgorny@gentoo.org> Type: Standards Track Status: Final -Version: 1 +Version: 1.1 Created: 2013-02-18 Last-Modified: 2018-07-07 Post-History: 2013-11-10 @@ -25,6 +25,15 @@ Abstract This GLEP provides both a minimum requirement and a recommended set of OpenPGP key management policies for the Gentoo Linux distribution. +Changes +======= + +v1.1 + The recommended RSA key size has been changed from 4096 bits + to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_. + The larger recommendation was unjustified and resulted in people + unnecessarily replacing their RSA-2048 keys. + Motivation ========== @@ -113,15 +122,13 @@ their primary key). # when making an OpenPGP certification, use a stronger digest than the default SHA1: cert-digest-algo SHA256 -2. Primary key type RSA, 4096 bits (OpenPGP v4 key format or later) - - This may require creating an entirely new key. +2. Primary key type RSA, 2048 bits (OpenPGP v4 key format or later) 3. The signing subkey of EITHER: a. DSA 2048 bits exactly. - b. RSA 4096 bits exactly. + b. RSA 2048 bits exactly. 4. Key expiry: @@ -174,6 +181,9 @@ Much of the above was driven by the following: References ========== +.. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096? + (https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096) + .. [#DEBIANGPG] Debian GPG documentation (https://wiki.debian.org/Keysigning) |