Peter Gutmann, pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz, writes:
To get around this, you could use Elgamal for signatures (although the
current
PGP doesn't support this, the code is commented out).
One word of caution for those who may be tempted to un-comment the ElGamal
signature code in the 5.0 source: there is a security flaw as written.
The problem is not in the signatures per se but in the key generation.
ElGamal signatures require some care in the choice of the generator.
We use a generator of 2 for ElGamal encryption, which is safe for that
purpose, but is not safe for ElGamal signatures.
So before enabling ElGamal signatures, they must change the keygen code.
(I don't know of any reason to use ElGamal signatures in place of DSS
signatures though.)
Hal