On 03/17/2015 08:44 PM, Robert J. Hansen wrote:
Given that 2.1 introduces a lot of new capabilities (mostly with respect to ECC), I think now, early on in the 2.1 series, would be a good time to discuss changing the defaults for newly-generated certificates.
Some of the defaults you propose are already there. If I look at a freshly generated key pair with GnuPG 2.1, the default preferred algorithms are:
Cipher: AES256, AES192, AES, 3DES Digest: SHA256, SHA384, SHA512, SHA224, SHA1So, AES256 is already the default symmetric cipher (CAST5 and IDEA are not even in the list and must both be explicitly requested by the user), and SHA256 is already the default hash algorithm.
* Use SHA256 for RSA-3072/-4096 signatures and SHA512
for Brainpool-512
Do you mean signatures in general, or key signatures (certifications)? For key signatures, SHA-1 is still the default for RSA keys, but signatures on (EC)DSA keys will use up to SHA-512 depending on the key size (SHA-256 for a Brainpool-256 key, SHA-512 for a BrainpoolP512 key).
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
