Lutz Donnerhacke wrote:
I'd like to oppose. ElGamal signatures are still useful,
Useful for what?
In the past, your primary argument seems to have been the avoidance of
DSA (not because of patent problems, but because of rather theoretical
objections to its design process), but this is no longer a convincing
justification since we now have RSA at our disposal.
despite there is a charge of signatures with some algorithmic errors.
I'd prefer a paragraph describing the problem and advicing to not use
keys of this charge.
Are you confident that no additional implementation traps will
discovered? With RSA, I have some confidence that the most important
things are properly documented, but ElGamal signatures appear to be much
more problematic. Please keep in mind that this is the second case of
such an implementation trap for the ElGamal signature scheme.