FSFE smart card and 4096 bit keys?

Daniel Pocock daniel at pocock.com.au
Sun Oct 7 15:12:56 UTC 2012

On 07/10/12 16:47, Werner Koch wrote:
> On Sun,  7 Oct 2012 13:59, daniel at pocock.com.au said:
>> Under s1.1, it suggests the OpenPGP card only has 1024 bit RSA, which
> These cards are not anymore distributes for some years now.  The current
> card (Fellowship card or those from kernelconcepts) support 4096 bit
> RSA.  However, they are advertised with a limit of 3072, because only
> recent versions of GnuPG can cope with more than 3072 bits.

Debian 6 has 1.4.10-4
Debian 7 has 1.4.12-4+b1

Both of those versions are happy to work with 4096 bit keys in normal
keyring files and signatures (but not on smart cards).

Apparently v2.0.18 adds the 4096 bit key support for OpenPGP cards, and
it has been around for 12 months now:

> However, I don't see any reason why one should use more than 2048 bit
> with the card.  Are you sure the OS and code of the card is secure and
> reliable enough to hold up with the security expectations of a larger
> key?  I am not.

Debian recommends 4096 bit RSA as the default for any newly created PGP
keys.  CACert.org also signs 4096 bit certs.  I realise there are many
other security factors to consider.  Just for convenience, I would
prefer to avoid creating 2048 bit keys and then later having to change
them to 4096 bit.


More information about the Discussion mailing list