gpg4win expired code signing cert; please renew.
Robert J. Hansen
rjh at sixdemonbag.org
Thu Oct 16 06:55:14 CEST 2025
> I am remotely/anonymously urging a GnuPG newbie to install gpg4win 5
> beta[1] with post-quantum encryption; everyone should use PQC
> *yesterday*.[2]
This is an extreme position. It is also silly. No, everyone does not
need to switch immediately to PQC. If you want to play around with it,
feel free: if you have really unusual requirements necessitating Kyber,
go for it: but please don't think it's recommended or a best practice.
It's neither.
NSA isn't requiring their vendors to switch away from RSA-3072 for TOP
SECRET data until 2030.[1] Given the default period of classification
for TOP SECRET is 25 years, we can conclude NSA believes RSA-3072 will
be suitable for protecting TOP SECRET data until 2055.
People who need beyond-30-year security do exist, and they would be
well-served to adopt PQC now. People who need to protect data of
comparable value to national security secrets should prepare to migrate
to PQC within the next few years. Everybody else is well-served by
remaining still and not panicking. The sky is not falling, no matter
what some people may say.
As the (out-of-date, but still relevant here) FAQ says, "Almost every
question in either the fields of computer security or cryptography can
honestly be answered with, 'it depends.' Real experts will avoid giving
blanket yes-or-no answers except to the simplest and most routine of
questions. They will instead hem and haw and explain the several
different factors that must be weighed."[2]
[1] Technically, different communication requirements have different
switch-by dates. The earliest ones occur in 2030, the latest occur in
2033. When the switch-by date occurs, legacy CNSA-1.0 algorithms like
RSA-3072 must be phased out in favor of quantum-resistant alternatives
like ML-KEM (formerly called "Kyber") and ML-DSA (formerly called
"Dilithium"). See, e.g.:
https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/
CSA_CNSA_2.0_ALGORITHMS.PDF
[2] https://gnupg.org/faq/gnupg-faq.html , section 4.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251016/97711e94/attachment.sig>
More information about the Gnupg-users
mailing list