-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
One issue, of course, is that RSA is not a required key type in
OpenPGP, so there could be some implementation out there that won't
be able to handle it. I'm not terribly concerned about this, as in
practice, the vast majority of code has handled RSA just fine for
the past decade, and if a particular user needs to generate a non-
RSA key, they can still do so.
There are a few other details (RSA signatures are physically larger,
etc), but I believe they are outweighed by the benefit of the larger
key and additional hash flexibility.
PGP does precisely this now. The default you'll get when creating a
new key is RSA 2048.
I'll invoke Jeff Schiller in this as well. The DSA/Elgamal keys are
mandatory to implement. Mandatory to implement does not mean mandatory
to use. It would be perfectly reasonable to make an RSA-only system
that merely didn't hork up a hairball when it found a DSA key.
Many X.509 systems are like this too -- DSA is the mandatory-to-
implement, but it's not clear that anyone has ever created a DSA
certificate outside of interop testing. I'm sure someone can find some
example that proves me literally wrong on that, but figuratively right.
These days, I see the effective -- ummm, I'm looking for the right
word, I don't want to say "deprecate" -- minimization of integer
discrete log. The world is pretty much integer RSA, and moving to
elliptic curve discrete log.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII
wj8DBQFJ/3mRsTedWZOD3gYRAvnSAJ930wrrwBfdtMQR7u45vOXhP1nCqQCcCUSb
mmQtr8tYoSe5XMK6ya3Jg5Q=
=JpoU
-----END PGP SIGNATURE-----