mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-17 14:07:03 +01:00
gpgsm: default to 3072-bit keys.
* doc/gpgsm.texi, doc/howto-create-a-server-cert.texi: : update default to 3072 bits. * sm/certreqgen-ui.c (gpgsm_gencertreq_tty): update default to 3072 bits. * sm/certreqgen.c (proc_parameters): update default to 3072 bits. * sm/gpgsm.c (main): print correct default_pubkey_algo. -- 3072-bit RSA is widely considered to be 128-bit-equivalent security. This is a sensible default in 2017. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Gbp-Pq: Topic update-defaults Gbp-Pq: Name 0014-gpgsm-default-to-3072-bit-keys.patch (cherry picked from commit 7955262151a5c755814dd23414e6804f79125355)
This commit is contained in:
parent
92e26ade5c
commit
121286d9d1
@ -1082,7 +1082,7 @@ key. The algorithm must be capable of signing. This is a required
|
||||
parameter. The only supported value for @var{algo} is @samp{rsa}.
|
||||
|
||||
@item Key-Length: @var{nbits}
|
||||
The requested length of a generated key in bits. Defaults to 2048.
|
||||
The requested length of a generated key in bits. Defaults to 3072.
|
||||
|
||||
@item Key-Grip: @var{hexstring}
|
||||
This is optional and used to generate a CSR or certificate for an
|
||||
|
@ -31,14 +31,14 @@ Let's continue:
|
||||
|
||||
@cartouche
|
||||
@example
|
||||
What keysize do you want? (2048)
|
||||
Requested keysize is 2048 bits
|
||||
What keysize do you want? (3072)
|
||||
Requested keysize is 3072 bits
|
||||
@end example
|
||||
@end cartouche
|
||||
|
||||
Hitting enter chooses the default RSA key size of 2048 bits. Smaller
|
||||
keys are too weak on the modern Internet. If you choose a larger
|
||||
(stronger) key, your server will need to do more work.
|
||||
Hitting enter chooses the default RSA key size of 3072 bits. Keys
|
||||
smaller than 2048 bits are too weak on the modern Internet. If you
|
||||
choose a larger (stronger) key, your server will need to do more work.
|
||||
|
||||
@cartouche
|
||||
@example
|
||||
@ -124,7 +124,7 @@ request:
|
||||
@example
|
||||
These parameters are used:
|
||||
Key-Type: RSA
|
||||
Key-Length: 2048
|
||||
Key-Length: 3072
|
||||
Key-Usage: sign, encrypt
|
||||
Name-DN: CN=example.com
|
||||
Name-DNS: example.com
|
||||
@ -224,7 +224,7 @@ To see the content of your certificate, you may now enter:
|
||||
aka: (dns-name example.com)
|
||||
aka: (dns-name www.example.com)
|
||||
validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
|
||||
key type: 2048 bit RSA
|
||||
key type: 3072 bit RSA
|
||||
key usage: digitalSignature keyEncipherment
|
||||
ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
|
||||
fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
|
||||
|
@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estream_t output_stream)
|
||||
unsigned int nbits;
|
||||
int minbits = 1024;
|
||||
int maxbits = 4096;
|
||||
int defbits = 2048;
|
||||
int defbits = 3072;
|
||||
const char *keyusage;
|
||||
char *subject_name;
|
||||
membuf_t mb_email, mb_dns, mb_uri, mb_result;
|
||||
|
@ -26,7 +26,7 @@
|
||||
$ cat >foo <<EOF
|
||||
%echo Generating a standard key
|
||||
Key-Type: RSA
|
||||
Key-Length: 2048
|
||||
Key-Length: 3072
|
||||
Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
|
||||
Name-Email: joe@foo.bar
|
||||
# Do a commit here, so that we can later print a "done"
|
||||
@ -468,7 +468,7 @@ proc_parameters (ctrl_t ctrl, struct para_data_s *para,
|
||||
/* Check the keylength. NOTE: If you change this make sure that it
|
||||
macthes the gpgconflist item in gpgsm.c */
|
||||
if (!get_parameter (para, pKEYLENGTH, 0))
|
||||
nbits = 2048;
|
||||
nbits = 3072;
|
||||
else
|
||||
nbits = get_parameter_uint (para, pKEYLENGTH);
|
||||
if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
|
||||
|
@ -1800,7 +1800,7 @@ main ( int argc, char **argv)
|
||||
/* The next one is an info only item and should match what
|
||||
proc_parameters actually implements. */
|
||||
es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT,
|
||||
"RSA-2048");
|
||||
"RSA-3072");
|
||||
es_printf ("compliance:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT, "gnupg");
|
||||
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user