On Fri, Sep 30, 2022 at 02:09:19PM +0200, Cyborg via Exim-users wrote:
> My POV here: "why waiting". Encryption doesn't slow down todays cpus
> anymore as it has 15 years ago, same for a smartphone soc.
Mobile devices have batteries, and large RSA keys have a real packet
size and latency cost. Keys larger than 2048-bits are largely futile.
No plausible classical attack can brute-force them. Various OS packages
are typically signed with 2048-bit keys, transmitted via TLS connections
authenticated with 2048-bit RSA, ...
My take is that 3072-bit RSA and especially 4096-bit RSA is for most
users a fashion statement, rather than a technically sound choice.
--
Viktor.