Jon sez:
I've been writing up a section on the care needed to select Elgamal keys so
that the resulting signatures are strong. In going through all of this, I
can't help but wonder if it's worth it.
Should we forego Elgamal signatures in the spec and make Elgamal only an
encryption algorithm?
Given the potential pitfalls and the fact that the first version
of openpgp-formats is more a description of interoperability with
existing versions (plus a little) than severe groundbreaking, I'm
inclined to agree with this sentiment.
Since there'll be a follow-on document at some distant point in the
future, that'll even give time for more attacks to mature on various
systems... i.e. we may be smarter in a year or two.
It's a good idea to have dissimilar options for each variable, and
we seem to have that already. The hashing department is the only
one where the main algorithms we're using have very similar structures.
Jim Gillogly