Your message dated Tue, 27 Oct 2015 16:20:29 -0400
with message-id <[email protected]>
and subject line Re: [pkg-gnupg-maint] Bug#800560: gnupg can't create a 
4096-16384 bits length key. The old version can do this.
has caused the Debian Bug report #800560,
regarding gnupg can't create a 4096-16384 bits length key. The old version can 
do this.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
800560: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800560
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnupg
Version: 1.4.18-7
Severity: important

Dear Maintainer,

gnupg can generate RSA keys up to 16384 bits length.
On the new version there are some limitations to create large RSA keys.
Using old versions could generate long keys up to 16384 bits.
A limitation of key size is not right and can help NSA.
If there is some reason, it is put a disclaimer and not block the program with 
an error.
Some people may need to generate a large PGP key.
After DataGate should be possible to generate large.

-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnupg depends on:
ii  gpgv          1.4.18-7
ii  libbz2-1.0    1.0.6-7+b3
ii  libc6         2.19-18
ii  libreadline6  6.3-8+b3
ii  libusb-0.1-4  2:0.1.12-25
ii  zlib1g        1:1.2.8.dfsg-2+b1

Versions of packages gnupg recommends:
pn  gnupg-curl     <none>
ii  libldap-2.4-2  2.4.40+dfsg-1

Versions of packages gnupg suggests:
pn  gnupg-doc     <none>
ii  imagemagick   8:6.8.9.9-5
ii  libpcsclite1  1.8.13-1
pn  parcimonie    <none>

-- no debconf information

--- End Message ---
--- Begin Message ---
Control: severity 800560 normal

On Wed 2015-09-30 17:32:36 -0400, Gionatan Vianello wrote:
> Package: gnupg
> Version: 1.4.18-7
> Severity: important
>
> gnupg can generate RSA keys up to 16384 bits length.
> On the new version there are some limitations to create large RSA keys.
> Using old versions could generate long keys up to 16384 bits.
>
> A limitation of key size is not right and can help NSA.

It's not clear that anyone believes that the NSA is capable of breaking
a 4096-bit RSA keys.

With the version of GnuPG that you have installed in stable (as well as
with the version in unstable and in testing) you should already be able
to generate 8192-bit keys in --batch mode (see --enable-large-rsa in
gpg(1) and the section on Unattended Key Generation in
/usr/share/doc/gnupg/DETAILS.gz).

RSA keys that are larger than 8192 bits will be very expensive to use
(even for public key use) and provide little realistic additional
protection -- the defensive advantage against a powerful attacker per
bit falls off as the key sizes increase in RSA.

GnuPG is interested in interoperating with other tools, and generating
extremely large keys is likely to impose costs on those users without
any useful gains for the ecosystem at large.

So i'm closing this bug, because (a) it's actually possible to generate
larger keys already for people who believe they need more than 4096
bits, and (b) there needs to be a limit somewhere to avoid resource
exhaustion, and 8192 seems like a reasonable place for that limit for
RSA.

Regards,

        --dkg

--- End Message ---

Reply via email to