I think that excluding 128-bit keys is not a good idea, because with EC ElGamal encryption (PK encryption with the shortest possible public key) that is the practical symmetric key size. Session keys that are longer than log2 of the cyclic group order used for El Gamal encryption do not provoide any additional security at all. There is also a multi-prime RSA variant (currently not surrpoted by OpenPGP but I might recommend it for V5) in which it is not practical to use 256-bit session keys for encryption. Regards, -- Daniel