Hi, On Thu, Sep 16, 2010 at 02:02:33PM +0200, Alexander Reichle-Schmehl wrote:
> > FWIW, the OpenPGP smartcard v2 supports keys up to 3072 bits. > At the recent FrOSCon I have been told, that 4096 bit keys should work, > but aren't officially supported. (Haven't tested it myself, yet.) Well, I've tried. Apparently, some of the first 2.0 cards have a firmware bug that leads to a buffer overrun inside the card if a 3072 bit key is used for decryption (signing and authentication work fine). The overrun cannot be exploited as it is immediately detected by the card runtime and the request aborted with an error condition. FWIW, I'm using a 4096 bit KSK, which is kept in a safe location, and 2048 bit subkeys on a smartcard for daily use. I don't think the large size for the master key is excessive, as I expect to keep it for several years, and as it has been generated with key usage explicitly set to "C" only it cannot be abused directly (i.e. if someone were to get hold of the key and wanted to upload something to Debian with it, they'd need to add a subkey and push it to the Debian keyserver, which would make the entire operation pretty noisy). Simon -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100916122327.ga28...@richter
