Policy For Sunsetting GPG Keys < 2048 Bits

Kees Cook kees at ubuntu.com
Thu Nov 27 17:40:38 UTC 2014

On Thu, Nov 27, 2014 at 10:08:40AM +0100, Martin Pitt wrote:
> Mark Shuttleworth [2014-11-27  9:01 +0000]:
> > Are any of the ECC algorithms widely trusted yet?
> For a simple and short executive answer I'd say "yes".
> TTBOMK there are no solutions to the ECC discrete logarithm which are
> better than the usual exponential brute force; contrary to prime
> factorization (for RSA) where more efficient algorithms are being
> discovered every other year. Some NIST standard curves have a certain
> "NSA influenced" smell, but some standards like ED25519 are generally
> considered trusted.

I'd agree too. As I understand it, the concerns with ECC is that there
may be more "weak" values to be discovered, and some people may end up
with poorly chosen keys.

> However, while ssh has supported ECC for a while, ECC support in gnupg
> is *very* new: http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000358.html
> (from just three weeks ago!)
> We also still use gnupg 1.x by default, so at some point we should
> move to gnupg 2. But at this point I think we are still better off
> with updating our GPG keys to 4096 bit RSA than waiting for this
> transition.

Based on what I know, ECC has higher complexity with lower key sizes,
which is good for resource constrained situations. Everything being equal,
I still prefer a large RSA key size, since it's more well understood.


Kees Cook

More information about the technical-board mailing list