mirror of
git://git.gnupg.org/gnupg.git
synced 2024-06-07 23:27:48 +02:00
gpg: default to 3072-bit RSA keys.
* agent/command.c (hlp_genkey): update help text to suggest the use of 3072 bits. * doc/wks.texi: Make example match default generation. * g10/keygen.c (DEFAULT_STD_KEY_PARAM): update to rsa3072/cert,sign+rsa3072/encr, and fix neighboring comment, (gen_rsa, get_keysize_range): update default from 2048 to 3072). * g10/keyid.c (pubkey_string): update comment so that first example is the default 3072-bit RSA. -- 3072-bit RSA is widely considered to be 128-bit-equivalent security. This is a sensible default in 2017. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Gbp-Pq: Topic update-defaults Gbp-Pq: Name 0015-gpg-default-to-3072-bit-RSA-keys.patch
This commit is contained in:
parent
7955262151
commit
909fbca196
|
@ -874,7 +874,7 @@ static const char hlp_genkey[] =
|
||||||
"\n"
|
"\n"
|
||||||
" C: GENKEY\n"
|
" C: GENKEY\n"
|
||||||
" S: INQUIRE KEYPARAM\n"
|
" S: INQUIRE KEYPARAM\n"
|
||||||
" C: D (genkey (rsa (nbits 2048)))\n"
|
" C: D (genkey (rsa (nbits 3072)))\n"
|
||||||
" C: END\n"
|
" C: END\n"
|
||||||
" S: D (public-key\n"
|
" S: D (public-key\n"
|
||||||
" S: D (rsa (n 326487324683264) (e 10001)))\n"
|
" S: D (rsa (n 326487324683264) (e 10001)))\n"
|
||||||
|
|
|
@ -301,11 +301,11 @@ the submission address:
|
||||||
The output of the last command looks similar to this:
|
The output of the last command looks similar to this:
|
||||||
|
|
||||||
@example
|
@example
|
||||||
sec rsa2048 2016-08-30 [SC]
|
sec rsa3072 2016-08-30 [SC]
|
||||||
C0FCF8642D830C53246211400346653590B3795B
|
C0FCF8642D830C53246211400346653590B3795B
|
||||||
uid [ultimate] key-submission@@example.net
|
uid [ultimate] key-submission@@example.net
|
||||||
bxzcxpxk8h87z1k7bzk86xn5aj47intu@@example.net
|
bxzcxpxk8h87z1k7bzk86xn5aj47intu@@example.net
|
||||||
ssb rsa2048 2016-08-30 [E]
|
ssb rsa3072 2016-08-30 [E]
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
Take the hash of the string "key-submission", which is
|
Take the hash of the string "key-submission", which is
|
||||||
|
|
|
@ -46,11 +46,10 @@
|
||||||
#include "../common/mbox-util.h"
|
#include "../common/mbox-util.h"
|
||||||
|
|
||||||
|
|
||||||
/* The default algorithms. If you change them remember to change them
|
/* The default algorithms. If you change them, you should ensure the value
|
||||||
also in gpg.c:gpgconf_list. You should also check that the value
|
|
||||||
is inside the bounds enforced by ask_keysize and gen_xxx. See also
|
is inside the bounds enforced by ask_keysize and gen_xxx. See also
|
||||||
get_keysize_range which encodes the allowed ranges. */
|
get_keysize_range which encodes the allowed ranges. */
|
||||||
#define DEFAULT_STD_KEY_PARAM "rsa2048/cert,sign+rsa2048/encr"
|
#define DEFAULT_STD_KEY_PARAM "rsa3072/cert,sign+rsa3072/encr"
|
||||||
#define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr"
|
#define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr"
|
||||||
|
|
||||||
/* When generating keys using the streamlined key generation dialog,
|
/* When generating keys using the streamlined key generation dialog,
|
||||||
|
@ -1623,7 +1622,7 @@ gen_rsa (int algo, unsigned int nbits, KBNODE pub_root,
|
||||||
|
|
||||||
if (nbits < 1024)
|
if (nbits < 1024)
|
||||||
{
|
{
|
||||||
nbits = 2048;
|
nbits = 3072;
|
||||||
log_info (_("keysize invalid; using %u bits\n"), nbits );
|
log_info (_("keysize invalid; using %u bits\n"), nbits );
|
||||||
}
|
}
|
||||||
else if (nbits > maxsize)
|
else if (nbits > maxsize)
|
||||||
|
@ -2092,7 +2091,7 @@ get_keysize_range (int algo, unsigned int *min, unsigned int *max)
|
||||||
default:
|
default:
|
||||||
*min = opt.compliance == CO_DE_VS ? 2048: 1024;
|
*min = opt.compliance == CO_DE_VS ? 2048: 1024;
|
||||||
*max = 4096;
|
*max = 4096;
|
||||||
def = 2048;
|
def = 3072;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -73,7 +73,7 @@ pubkey_letter( int algo )
|
||||||
is copied to the supplied buffer up a length of BUFSIZE-1.
|
is copied to the supplied buffer up a length of BUFSIZE-1.
|
||||||
Examples for the output are:
|
Examples for the output are:
|
||||||
|
|
||||||
"rsa2048" - RSA with 2048 bit
|
"rsa3072" - RSA with 3072 bit
|
||||||
"elg1024" - Elgamal with 1024 bit
|
"elg1024" - Elgamal with 1024 bit
|
||||||
"ed25519" - ECC using the curve Ed25519.
|
"ed25519" - ECC using the curve Ed25519.
|
||||||
"E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4".
|
"E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4".
|
||||||
|
@ -83,7 +83,7 @@ pubkey_letter( int algo )
|
||||||
If the option --legacy-list-mode is active, the output use the
|
If the option --legacy-list-mode is active, the output use the
|
||||||
legacy format:
|
legacy format:
|
||||||
|
|
||||||
"2048R" - RSA with 2048 bit
|
"3072R" - RSA with 3072 bit
|
||||||
"1024g" - Elgamal with 1024 bit
|
"1024g" - Elgamal with 1024 bit
|
||||||
"256E" - ECDSA using a curve with 256 bit
|
"256E" - ECDSA using a curve with 256 bit
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user