On Mon, Sep 9, 2013 at 12:28 PM, Ole Tange <o...@tange.dk> wrote: [snip] > Hopefully that will stop people from recommending against 10kbit keys > for the sake of the communication partners.
While it certainly seems that 10kbit keys offer reasonable performance even for slow systems (thanks for doing the benchmarks on those systems), there's also some practical concerns: 1. Most smartcards these days support 2048-bit keys, while OpenPGP smartcards support 4096-bit keys. I'm not aware of any smartcard that supports >4096-bits. It'd be nice to see hardware vendors offer cards that can handle larger keys. I'm not sure what the demand for larger keys is, but I imagine that smartcard support for larger keys would be a long time coming. 2. How compatible are >4096-bit keys with various OpenPGP implementations? It's nice to have a (presumably) secure key, but if other people's software only support 4096-bit keys as a maximum then you can't really communicate with them. New features are slow to add to both the standard and to various implementations: even though RFC 4880 says that OpenPGP implementations MAY implement hashes other than SHA1, I've read some concern about compatibility with SHA256 and SHA512 signatures and key certifications (I've not observed any such issues, but I rarely interact with people using older software versions that are unlikely to support it). I'm not sure what other programs implement the standard or how well-supported extra large keys would be. 3. Generating large keys with GnuPG requires that one patch the source and recompile. This limits the creation of extra-large keys to those who feel comfortable with doing this. It'd be interesting to see if Werner would change the hard-coded maximum keysize from the current 4096 to, say 8192 (or 15,360 or 16,384) bits so that users who desired such keys could create them easily. (It'd probably be best to require an "--expert" flag to expose such options, at least for a while.) Thanks again for the interesting benchmarks and measurements. Cheers! -Pete -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
