On Tue 2015-03-17 18:37:40 -0400, Robert J. Hansen wrote: >> I agree that defaulting to brainpool-512 right now would be a >> mistake. >> >> Defaulting to RSA 3072 seems reasonable to me, though. > > I think it's best to minimize the number of times we change the > defaults. If we change them too often it causes users to wonder if > there's some weakness in OpenPGP -- after all, why else would we need to > constantly play catch-up? (Note that I don't agree with this; I just > understand it.)
by this argument, you should have pushed for RSA 3072 during the last defaults change, since it would have lasted longer than 2048 ;) > So if we're looking at a situation where we think that within the next > five years we'll want to make ECC the default, I think it would be best > to get that option out in front of users now. Default to RSA-3072, > sure, but let's get users accustomed to seeing ECC as an option so that > when we migrate fully to ECC-by-default nobody gets surprised. Except that by the time we're ready to adopt ECC by default we may very well want to use Goldilocks (Hamburg's 448-bit curve), since that seems to be the high-strength curve that the CFRG is heading toward (yes, goldilocks is not yet specified for OpenPGP; we'd need to do that first). Brainpool-512 is incompatible with some of the other work going on in the OpenPGP ecosystem (e.g. yahoo and google's work on the e2e webmail app, which supports P-256 and P-512). At any rate, changes are afoot, and i don't think we should be afraid to update the defaults if we think a new set is reasonable. --dkg _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
