SSH Agent keys >4096 bit?

Peter Lebbing peter at digitalbrains.com
Sat May 5 13:09:48 CEST 2012


On 05/05/12 12:49, Milo wrote:
> 1) You are responding to citation regarding symmetric crypto with
> widely used key length.

Well it's not my fault someone else went off-topic is it? If you are
here to persuade the GnuPG authors to include AES256 you're too late.

I think you can perfectly discern what message I was intending to get
across.

> 2) Proponents of approach you are commenting on gave some arguments
> here already. If not sure check thread and other sources.

I am very well aware of that. They don't convince, because they don't
tackle the problem of the weakest link.

>>> One more time - this is not up to you or software authors to
>>> decide what's the value behind encrypted data. Even if reason of
>>> encrypting it is silly.
>> 
>> I don't think it's up to you to decide that the GnuPG authors need
>> to officially support something they find silly.
> 
> This is open discussion about free software's value and (expected by 
> some) functionality. Discussion and judging on value of private data
> is something totally different you know.

Please read these three quotes again carefully. You are saying you
yourself are off-topic; discussing something totally different. I agree.

> I'm not forgetting about this. But you are forgetting you are using 
> symmetric crypto with 256-bit key length (e.g. HTTPS) and you don't
> have any problem with this "security overkill" (but yes - symmetric
> ciphers are computationally to use cheaper).

GnuPG should include 8k RSA because I didn't go through the trouble of
disabling AES256 in my browser, risking breakage when an oddball
webserver administrator disables all algorithms but AES256?

You also indicate yourself where this goes askew: RSA 8k is immensely
more CPU intensive than AES256 v AES128.

>> It's an interesting take on things, that the GnuPG authors somehow
>> think your data must be invaluable, because they don't offer 8k
>> RSA.
> 
> This is your flawed conclusion.

I was replying to:
>> One more time - this is not up to you or software authors to decide
>> what's the value behind encrypted data.

I read that as: GnuPG authors decide your data is not valuable enough
for RSA 8k. I'm unsure how else to read it, but it certainly isn't /my/
conclusion, it's what I read as /your/ conclusion. Please don't make it
my conclusion, I would have to severely disagree with myself, and I hate
it when that happens.

A large error I made: I wrote invaluable when I meant not valuable at
all. Is this the source of the confusion?

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt



More information about the Gnupg-users mailing list