It may well be that it is only practical to use 1.4x on an air-gapped device. If 4096bit RSA is considered sufficiently resistant to cryptanalysis (i.e., ignoring signing!), can such keys generated by 1.4x be considered just as secure as are the equivalent keys generated by 2.xx?
There is no reason to doubt RSA-4096's safety for signing: none whatsoever. The United States National Security Agency has certified RSA-3072 for signing TOP SECRET data until 2030.[1] Given TOP SECRET data has a default classification period of 25 years, that means NSA expects RSA-3072 to be secure until 2055.
Now, to answer your question: there are no known security issues with generating certificates on GnuPG 1.4. But please, please, please, stop using 1.4 already. Switch to the 2.6 series.
[1] https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
