list of OpenPGP implementations [was: Re: Changing GPG's default key type?]

Fri Jul 31 06:22:52 CEST 2009

On Jul 30, 2009, at 10:06 PM, Robert J. Hansen wrote:

>> Is that an example of a potential problem implementation?  Note  
>> that the McAfee product does support RSA (not surprising, given its  
>> ancestry).
>
> I don't know.
>
> There are a wide number of implementations with various degrees of  
> conformance, RFC4880 is fairly new and there's no guarantee vendors  
> have caught up with it, old systems continue to be used despite our  
> wishes (look at how many 6.5.8 users are out there), and so forth  
> and so forth.

RSA was not added in RFC-4880.  It dates back to PGP 5 (1997-ish), and  
was first formalized (in the RFC sense) in RFC-2440 in 1998.  It's  
been in a RFC for 10+ years now.  Of course, it's been optional for  
all that time as well.

Your comment is similar to the logic that we used when deciding about  
making the RSA the new default key type: DSA-1024 wasn't cutting it  
any longer for both length reasons and also the inability to use  
larger hashes as it is locked to 160 bits (SHA-1 / RIPEMD160).  The  
two best options we saw were either DSA2 by default (required by the  
spec, but only added in RFC-4880 and so not as widely supported as  
RSA), or RSA (not required by the spec, but very widely supported).  A  
major reason we didn't choose DSA2 was because it wasn't widely  
supported enough.  It turned out later that the PGP people made the  
same decision for their product, and I actually found one product that  
supports RSA but not DSA (yes, I know that makes them noncompliant,  
but nevertheless they do exist).

Security (actually most things in engineering) is about balancing  
various competing interests and issues.  Personally, I weigh the  
ability to use a larger key with a larger hash more than I do the  
knowledge that I might find some implementation that doesn't like my  
key someday (I haven't actually found such an implementation yet, but  
such an implementation could be written and be perfectly OpenPGP  
compliant).  Others may not weigh things the same way, and GnuPG  
serves them as well - they can create whatever key type works for  
their particular balance.

Incidentally, a nice side benefit of RSA is the ability to store a key  
on a smartcard.  I wasn't a major fan of the previous generation of  
cards as you couldn't easily carry it with you unless you knew you had  
a smartcard reader where you were going.  The new cards can be punched  
for use in a SIM type reader, so the card plus the reader is the same  
size as a USB "thumb drive" stick.  The smaller form factor makes a  
dramatic improvement in the user experience for me.

David