> Ah, yes... the fetish of equinonecroflagellation. It has an strikingly common > rate of incidence with maxicryptosizism...
Although I'm going to be (almost wholly) agreeing with John here, I'm speaking just for myself. If anyone wants to chime in with a "d'accord," that's on them. :) What gets me about the RSA-2048/-3072/-4096 debate is how (largely) pointless it is. Per NIST, RSA-2048 has about a 112-bit effective keyspace and -3072 has about a 128-bit effective keyspace. There is no official NIST recommendation for RSA-4096, but the cryppies I've spoken with at conferences ballpark it at somewhere around 140 bits of effective keyspace. Now for the kicker: *no one* is guaranteed more than 112 bits of effective keyspace in the emails they receive. No one. Even if you use a hacked-up GnuPG and RSA-16384, you're deluding yourself if you think you're guaranteed your emails will have an effective keyspace of 256 bits. The reason why is four letters long: 3DES. 3DES, which is an always-accept algorithm, has a keyspace of 112 bits[*]. Someone can use your RSA-16384 key with 3DES and bam, the effective protection of your email is down to 112 bits. So in a very real sense, anything past RSA-2048 is at best a "you *might* get some additional security, depending on what symmetric algorithm your correspondent uses. Oh, and you can't forbid your correspondent from using 3DES, either." I think it's funny how the people who advocate moving to RSA-4096 by default generally don't talk much about how it is impossible to guarantee more than 112 bits of effective encryption keyspace for an email message. Will it give you a stronger signature? Maybe. But it very possibly won't give you any stronger encryption. Now, this isn't to say there's no purpose in RSA-3072 or -4096. Some organizations have requirements that say "any encryption key we use must provide 128 effective bits of keyspace." In that case, if them's the rules, then sure, use RSA-3072, it meets your requirements. But for the people who advocate "let's shift to RSA-4096, it gives us about an effective 32 bits more than RSA-2048!", well... I really wish they'd talk about the drawbacks (can't use on a smartcard, may cause problems for mobile devices, etc.) and the inherent limitations of OpenPGP (can't guarantee more than 112 effective bits of encryption keyspace). So, in summation: I think the RSA-2048/-3072/-4096 debate is utterly pointless. To the extent I have any strong feelings on it at all, it is this: you are less likely to delude yourself about the strength of the system if you use RSA-2048. [*] ... against an adversary with access to more computing power than is likely to ever exist in the world, true; but 112 bits nevertheless.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users