> Most od 2.x "improvements" have little to do with security. Per NIST, RSA-2048 is believed safe until 2030. That means that if you need to keep secrets longer than fifteen years, you need to move away from RSA completely. RSA-3072 is not all that much stronger than RSA-2048, and RSA-4096 adds even less.
The future is clear: 512-bit ECC, which is about as resistant to brute-forcing as AES256. GnuPG 2.1 has it. GnuPG 1.4 *will never get it*. That means each day that moves forward is one day closer to GnuPG 1.4's obsolescence. Other major improvements: the codebase is cleaner. There's more separation of code. Most crypto operations are now handled by libgcrypt, which is a great move. The more libgcrypt gets used by outside people, the better a chance we have of spotting bugs before they become problems. There are a lot of important improvements in 2.0. I'm not saying I'm a fan of all the decisions the development team made, but on balance I think it's a much better product than 1.4 ever was. > I can't offer any conclusive evidence for this, but it is my > honest estimate... If your name were Vint Cerf, Admiral Mike Rogers, Whit Diffie, or someone of that caliber -- then yes, I might be able to look at who you are, your professional history, your accomplishments, and come to a reasoned evaluation of how much credence I should lend to your honest estimates. But I don't know you. I don't know your reputation, I don't know who's worked with you that will vouch for you... nothing. Without that, why should I consider your estimates to be any more reliable than a Ouija board? _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
