[Top] [All Lists]

Re: RFC: DSA key lengths; Elgamal type 16 v. type 20

2002-08-26 15:35:14

On 8/26/02 1:56 PM, "Len Sassaman" <rabbi(_at_)abditum(_dot_)com> wrote:

I think Brian is right, though. While DSS (in FIPS 186 and ANSI X9.30)
mandates SHA-1 and limits p to 1024 bits, OpenPGP is specifying DSA, not

I think quibbling over the differences between DSS and DSA is as productive
as quibbling over the differences between DES and DEA. I have heard it
asserted that 3DES should actually be called 3DEA because the process of
tripling is violates the standard. Whatever. We all know what it means.

We need to figure out what the smart thing to do is, and if I need to edit
an S into an A or vice-versa, it's trivial to do that.

However, I want to quit tweaking and get a new RFC number on it.

I understand DSA to be limited to 1024 bits when using a 160 bit hash.
Using a larger hash would allow for larger key sizes. There has been some
speculation that a revised DSS may be specified by NIST using the new
larger SHA hashes. Should we anticipate this and add the new SHAs (at
least SHA-512) to the spec?

We anticipated this as of bis03, August 2000. All the wide SHAs are there.

FWIW, I believe that one of the "ckt" unofficial builds of PGP used larger
DSA keys with "double width SHA1". (I'm surprised, actually, that RFC 2440
even specifies double-width SHA1, since it's my understanding that most
cryptographers are skeptical that double-width SHA1 is any better than
single-width SHA1 for DSA.) Shouldn't wide SHA1 be deprecated in favor of
one of the newer NIST SHAs?

The double-wide SHA work was done pre-2440. It was done pre-me. As I
remember what I was told, it was experimental work done by Colin Plumb and
Derek Atkins, but maybe Hal Finney was involved. In any event, the present
language says, "Reserved for double-width SHA (experimental, obviated)." I
am happy to change that to say merely "Reserved" lest someone get the idea
it is useful. There are also no OIDs for DWSHA.