I'd like to nitpick for a second. Section 12.6 states, "Note that present
DSA is limited to a maximum of 1024 bit keys, which are recommended for
long-term use." Actually, it is DSS (the *standard*), not DSA (the
*algorithm*) that is limited to 1024 bits. I'd like to suggest that we
replace that sentence with, "DSA keys SHOULD NOT exceed a size of 1024
bits." This way, we can maintain backwards compatibility and compliance
with DSS, while providing adequate security for people who really want
it. Might I point out that IEEE P1363 allows for DSA keys longer than
1024 bits, so there is precedent in the cryptographic community.
I'd also like to suggest that we deprecate Elgamal type 16 in favor of
Elgamal type 20 combined with key flags. This is exactly what we did with
RSA types 2 and 3. It encourages implementations to implement key flags,
and it will lessen the usage of an encrypt-only type. It still allows
implementations to maintain backwards compatibility, because it does not
remove the type altogether.
Brian M. Carlson <karlsson(_at_)hal-pc(_dot_)org> <http://decoy.wox.org/~bmc>
I will make you shorter by the head.
-- Elizabeth I
Description: PGP signature