summaryrefslogtreecommitdiffstats
path: root/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch
blob: 59b0b13f7688336a39845fe9d97241c665e0f2bb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 7 Sep 2017 18:41:10 -0400
Subject: gpg: default to 3072-bit keys.

* agent/command.c (hlp_genkey): update help text to suggest the use of
3072 bits.
* doc/wks.texi: Make example match default generation.
* g10/keygen.c (gen_elg): update default from 2048 to 3072.
* g10/keyid.c (pubkey_string): update comment so that first example
is the default 3072-bit RSA.

--

3072-bit RSA is widely considered to be 128-bit-equivalent security.
This is a sensible default in 2017.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

(cherry picked from commit 909fbca19678e6e36968607e8a2348381da39d8c)
---
 agent/command.c | 2 +-
 doc/wks.texi    | 4 ++--
 g10/keygen.c    | 2 +-
 g10/keyid.c     | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/agent/command.c b/agent/command.c
index b682c55..ea65290 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -843,7 +843,7 @@ static const char hlp_genkey[] =
   "\n"
   "  C: GENKEY\n"
   "  S: INQUIRE KEYPARAM\n"
-  "  C: D (genkey (rsa (nbits  2048)))\n"
+  "  C: D (genkey (rsa (nbits 3072)))\n"
   "  C: END\n"
   "  S: D (public-key\n"
   "  S: D   (rsa (n 326487324683264) (e 10001)))\n"
diff --git a/doc/wks.texi b/doc/wks.texi
index e398ccb..68ed117 100644
--- a/doc/wks.texi
+++ b/doc/wks.texi
@@ -447,10 +447,10 @@ the submission address:
 The output of the last command looks similar to this:
 
 @example
-  sec   rsa2048 2016-08-30 [SC]
+  sec   rsa3072 2016-08-30 [SC]
         C0FCF8642D830C53246211400346653590B3795B
   uid           [ultimate] key-submission@@example.net
-  ssb   rsa2048 2016-08-30 [E]
+  ssb   rsa3072 2016-08-30 [E]
 @end example
 
 Take the fingerprint from that output and manually publish the key:
diff --git a/g10/keygen.c b/g10/keygen.c
index 80d65c4..5b4a785 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -1436,7 +1436,7 @@ gen_elg (int algo, unsigned int nbits, KBNODE pub_root,
 
   if (nbits < 1024)
     {
-      nbits = 2048;
+      nbits = 3072;
       log_info (_("keysize invalid; using %u bits\n"), nbits );
     }
   else if (nbits > 4096)
diff --git a/g10/keyid.c b/g10/keyid.c
index 69d85da..2987287 100644
--- a/g10/keyid.c
+++ b/g10/keyid.c
@@ -73,7 +73,7 @@ pubkey_letter( int algo )
    is copied to the supplied buffer up a length of BUFSIZE-1.
    Examples for the output are:
 
-   "rsa2048"  - RSA with 2048 bit
+   "rsa3072"  - RSA with 3072 bit
    "elg1024"  - Elgamal with 1024 bit
    "ed25519"  - ECC using the curve Ed25519.
    "E_1.2.3.4"  - ECC using the unsupported curve with OID "1.2.3.4".
@@ -83,7 +83,7 @@ pubkey_letter( int algo )
    If the option --legacy-list-mode is active, the output use the
    legacy format:
 
-   "2048R" - RSA with 2048 bit
+   "3072R" - RSA with 3072 bit
    "1024g" - Elgamal with 1024 bit
    "256E"  - ECDSA using a curve with 256 bit