[gentoo-dev] [PATCH 4/4] glep-0063: Change the recommended RSA key size to 2048 bits

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Michał Górny" <mgorny@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Cc: robbat2@gentoo.org, "Michał Górny" <mgorny@gentoo.org>
Subject: [gentoo-dev] [PATCH 4/4] glep-0063: Change the recommended RSA key size to 2048 bits
Date: Tue,  3 Jul 2018 15:29:57 +0200	[thread overview]
Message-ID: <20180703132957.29200-5-mgorny@gentoo.org> (raw)
In-Reply-To: <20180703132957.29200-1-mgorny@gentoo.org>

Change the recommended key size recommendation for RSA from 4096 bits
to 2048 bits.  Use of larger keys is unjustified due to negligible gain
in security, and recommending RSA-4096 unnecessarily resulted
in developers replacing their RSA-2048 keys for no good reason.
---
 glep-0063.rst | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/glep-0063.rst b/glep-0063.rst
index 0082edd..f1512b3 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -6,7 +6,7 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
         Marissa Fischer <blogtodiffer@gmail.com>
 Type: Standards Track
 Status: Final
-Version: 1
+Version: 1.1
 Created: 2013-02-18
 Last-Modified: 2018-07-02
 Post-History: 2013-11-10
@@ -24,6 +24,15 @@ Abstract
 This GLEP provides both a minimum requirement and a recommended set of
 OpenPGP key management policies for the Gentoo Linux distribution.
 
+Changes
+=======
+
+v1.1
+  The recommended RSA key size has been changed from 4096 bits
+  to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
+  The larger recommendation was unjustified and resulted in people
+  unnecessarily replacing their RSA-2048 keys.
+
 Motivation
 ==========
 
@@ -101,7 +110,7 @@ Recommendations
        # when making an OpenPGP certification, use a stronger digest than the default SHA1:
        cert-digest-algo SHA256
 
-2. Root key type RSA, 4096 bits (OpenPGP v4 key format or later)
+2. Root key type RSA, 2048 bits (OpenPGP v4 key format or later)
 
    This may require creating an entirely new key.
 
@@ -109,7 +118,7 @@ Recommendations
 
    a. DSA 2048 bits exactly.
 
-   b. RSA 4096 bits exactly.
+   b. RSA 2048 bits exactly.
 
 4. Key expiry:
 
@@ -162,6 +171,9 @@ Much of the above was driven by the following:
 References
 ==========
 
+.. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096?
+   (https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096)
+
 .. [#DEBIANGPG] Debian GPG documentation
    (https://wiki.debian.org/Keysigning)
 
-- 
2.18.0

next prev parent reply	other threads:[~2018-07-03 13:32 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-03 13:29 [gentoo-dev] [PATCH 0/4] GLEP 63: clean up, and reduce key size to RSA-2048 Michał Górny
2018-07-03 13:29 ` [gentoo-dev] [PATCH 1/4] glep-0063: Use 'OpenPGP' as appropriate Michał Górny
2018-07-03 13:29 ` [gentoo-dev] [PATCH 2/4] glep-0063: RSAv4 -> OpenPGP v4 key format Michał Górny
2018-07-03 13:29 ` [gentoo-dev] [PATCH 3/4] glep-0063: Clarify dedicated signing subkey in minimal reqs Michał Górny
2018-07-03 13:29 ` Michał Górny [this message]
2018-07-03 16:40 ` [gentoo-dev] [PATCH 0/4] GLEP 63: clean up, and reduce key size to RSA-2048 Aaron Bauman
2018-07-03 16:42   ` Aaron Bauman
2018-07-03 19:55     ` Michał Górny
2018-07-04  7:22 ` [gentoo-dev] [PATCH 5/4] glep-0063: Allow ECC keys Michał Górny
2018-07-04  7:49   ` Kristian Fiskerstrand
2018-07-04  7:54     ` Michał Górny
2018-07-04  8:01       ` Kristian Fiskerstrand
2018-07-04  8:42         ` Michał Górny
2018-07-04  8:51           ` Kristian Fiskerstrand
2018-07-04  9:09             ` Michał Górny
2018-07-04  9:49               ` Kristian Fiskerstrand

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0082edd dfblob:f1512b3 )
 OR (
bs:"[gentoo-dev] [PATCH 4/4] glep-0063: Change the recommended RSA key size to 2048 bits" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180703132957.29200-5-mgorny@gentoo.org \
    --to=mgorny@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    --cc=robbat2@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox