[Top] [All Lists]

Re: RFC: DSA key lengths; Elgamal type 16 v. type 20

2002-08-26 18:24:36
On Sat, Aug 24, 2002 at 11:47:39PM -0700, Jon Callas wrote:

On 8/24/02 3:05 PM, "Brian M. Carlson" <karlsson(_at_)hal-pc(_dot_)org> wrote:

I'd like to nitpick for a second. Section 12.6 states, "Note that present
DSA is limited to a maximum of 1024 bit keys, which are recommended for
long-term use." Actually, it is DSS (the *standard*), not DSA (the
*algorithm*) that is limited to 1024 bits. I'd like to suggest that we
replace that sentence with, "DSA keys SHOULD NOT exceed a size of 1024
bits." This way, we can maintain backwards compatibility and compliance
with DSS, while providing adequate security for people who really want
it. Might I point out that IEEE P1363 allows for DSA keys longer than
1024 bits, so there is precedent in the cryptographic community.

So far as I know, DSS or DSA, or whatever, mandates SHA-1. What hash
algorithm does P1363 use with longer keys? What semantics does it have to go
with it?

I believe it uses SHA1, because it keeps the size of q the same. You will
have to subscribe to the mailing list to get the password to fetch the

Mailing List:

If it doesn't exist anymore, you can email me and ask for it.
I'd also like to suggest that we deprecate Elgamal type 16 in favor of
Elgamal type 20 combined with key flags. This is exactly what we did with
RSA types 2 and 3. It encourages implementations to implement key flags,
and it will lessen the usage of an encrypt-only type. It still allows
implementations to maintain backwards compatibility, because it does not
remove the type altogether.

Well, there are people who believe that Elgamal signatures should be
deprecated, and were a mistake to put in the standard to begin with. I think
it's better to leave it as it is and let gentle persons continue to

My point is not that we enforce the use of Elgamal signatures, but that
we encourage the use of key flags to signal the purpose of the key. I
think sign-only/encrypt-only keys are broken. If someone wants to create
a type 20 key with key flags packet that says it is for encryption only,
then that person should not be required to create that key (rather,
subkey) with the strict additional conditions for signatures. I also
think implementations should accept such keys as they currently accept
type 16 keys (PGP does not, I think).

As an additional benefit, if some implementations just happen to accept
Elgamal signatures, well, ok.

Brian M. Carlson <karlsson(_at_)hal-pc(_dot_)org> <> 
Now hatred is by far the longest pleasure;
Men love in haste, but they detest at leisure.
                -- George Gordon, Lord Byron, "Don Juan"

Attachment: pgpqimUoU0m2p.pgp
Description: PGP signature