Change the recommended key size recommendation for RSA from 4096 bits
to 2048 bits. Use of larger keys is unjustified due to negligible gain
in security, and recommending RSA-4096 unnecessarily resulted
in developers replacing their RSA-2048 keys for no good reason.
---
glep-0063.rst | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/glep-0063.rst b/glep-0063.rst
index 0082edd..f1512b3 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -6,7 +6,7 @@ Author: Robin H. Johnson <robb...@gentoo.org>,
Marissa Fischer <blogtodif...@gmail.com>
Type: Standards Track
Status: Final
-Version: 1
+Version: 1.1
Created: 2013-02-18
Last-Modified: 2018-07-02
Post-History: 2013-11-10
@@ -24,6 +24,15 @@ Abstract
This GLEP provides both a minimum requirement and a recommended set of
OpenPGP key management policies for the Gentoo Linux distribution.
+Changes
+=======
+
+v1.1
+ The recommended RSA key size has been changed from 4096 bits
+ to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
+ The larger recommendation was unjustified and resulted in people
+ unnecessarily replacing their RSA-2048 keys.
+
Motivation
==========
@@ -101,7 +110,7 @@ Recommendations
# when making an OpenPGP certification, use a stronger digest than the
default SHA1:
cert-digest-algo SHA256
-2. Root key type RSA, 4096 bits (OpenPGP v4 key format or later)
+2. Root key type RSA, 2048 bits (OpenPGP v4 key format or later)
This may require creating an entirely new key.
@@ -109,7 +118,7 @@ Recommendations
a. DSA 2048 bits exactly.
- b. RSA 4096 bits exactly.
+ b. RSA 2048 bits exactly.
4. Key expiry:
@@ -162,6 +171,9 @@ Much of the above was driven by the following:
References
==========
+.. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096?
+ (https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096)
+
.. [#DEBIANGPG] Debian GPG documentation
(https://wiki.debian.org/Keysigning)
--
2.18.0
