On 3/22/11 5:22 PM, Jerome Baum wrote: > So considering that the "smart card" argument only makes sense > when I generate on-card, and considering that gpg wouldn't offer > RSA-4096 anyway in that case, how does this make it a bad idea to > have RSA-4096 as the (recommended) default?
Simplicity. Otherwise you get a ton of people screaming, "GnuPG only lets me generate a 2K key on my smart card! The default is *4*K! Why am I getting only half the bits that GnuPG thinks I need to be safe?!" And yes, those questions would occur. Lots. In order to reduce confusion, 2K keys seem to be the best bet. They are safe enough for the overwhelming majority of users, are the most compatible with embedded devices, and cause the least confusion. > Obviously, if I am not using a smart card and doing other stuff > on a device that can't cope with RSA-4096 keys, then I am > probably smart enough to ignore the default, right? This is a rudely-phrased question. I either have to grant that you are, or have to say that you're not smart enough to ignore the default. I am going to ignore this question and tell you: unless you need 30+ years of security, use the defaults. They're defaults for a reason: they're perfectly sufficient for the overwhelming majority of uses. Stop trying to justify putting an additional foot of height on your 10,000-foot fence, and start thinking about the folks who are trying to tunnel underneath it. And honestly, that's all that I have to say on this. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users