Werner, I find your reply disingenious - I cannot believe that you are not aware that what you are writing is misleading and/or outright wrong.
On Mon, Sep 29, 2014 at 08:58:26AM +0200, Werner Koch <w...@gnupg.org> wrote: > > NIST 2012 also recommends similar key sizes (15360 bits). > > These are only projections to show that there is a need to switch to EC > keys. That might be your interpretation of the intent of their recommendations (specifically, SP 800/57), but the facts still remain that experts do not agree with you (disagreeing with your own claims). It also doesn't invalidate the opinion of the other expert opinions provided (which you have conveniently left out of your reply). > > It is also against the GNU coding standards to have arbitrary limits such > > as these. ("Avoid arbitrary limits on the length or number of any data > > The GNU standards partly recommend ideas dating back to a time the > Internet was young and innocent. Nowadays connecting a box to the > Internet means to vulnerable to a wide range of of attacks. This is a strawman argument - which attacks would gnupg open itself up if it increased the limit to be sufficient for longer keysizes recommended by many crpytographic researchers, as requested in this ticket? > Having no limits on input data and allocating buffer dynamically is a an > easy way to DoS a service. Again a strawman - firstly, gnupg can support the recommended keysizes without dynamically allocating a buffer, and secondly, gnupg already allocates the buffer in question dynamically. It simply places an arbitrary (and very low) limit on the buffer. > If you look at GnuPG code you will notice that there is no silent > truncation of lines. Werner, go and read the it: It says "any data structure", not "just line lengths". I am sure you already know that, but why this disingenuous comment about line lengths? This bug report is not about line lengths, but about arbitrary limits. You have provided zero evidence in favour of not fixing this bug, but instead only strawmen and misleading arguments. I can only conclude that you do not want fix this bug, keeping keysizes in gnupg arbitrarily low for your own private reasons. -- The choice of a Deliantra, the free code+content MORPG -----==- _GNU_ http://www.deliantra.net ----==-- _ generation ---==---(_)__ __ ____ __ Marc Lehmann --==---/ / _ \/ // /\ \/ / schm...@schmorp.de -=====/_/_//_/\_,_/ /_/\_\ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org