Bodo Moeller wrote:
Of course arguably 128 bits are by far enough so that you don't really
have to worry about anything of this -- unless you think that quantum
attacks might become realistic.
I think that we are all in violent agreement that 128-bit key lengths
are likely sufficient, and that both AES-128 and AES-256 are likely to
be the strongest link in the OpenPGP chain. I was only trying to refute
the argument that AES-128 is likely to be stronger than AES-256; this
isn't a persuasive argument. The answer to the question, "why not use
AES-256," is, "because AES-128 is sufficient," *not*, "because AES-128
is stronger." However, since this question comes up *so* frequently, I
am tempted to concur with Ross Anderson and argue that we should simply
always use AES-256.
WRT Werner's comment, I agree that gathering entropy is a problem.
However, a known problem with many entropy gathering daemons is that
they overestimate the entropy they have gathered. Ross Anderson makes
the argument, and I agree, that using a 256-bit key allows the user to
hope that if the EGD overestimates entropy by a factor of two, then one
still has 128-bits of entropy in his 256-bit key. This is obviously a
hack, and the preferred solution would be to fix the EGD.