There is one reason why I still use DSA keys in some of my applications:
They are much cheaper to generate. I strongly believe that in order for crypto
to become ubiquitous, it is important that key pairs are generated right after
installation.
In case of RSA, it can go wrong in two ways:
1. RSA requires too many random bits and a computer that nobody touches can just
freeze up waiting for random input.
2. The time to generate an RSA key is too long on cheap embedded hardware.
Of course, neither is of concern for GPG's default key; if you have such a
system, just tell it to generate DSA keys. But these two points should be kept
in mind.
The obvious workaround for #1, is to read enough random bits for the security of
the key (e.g. 256) and then seed a secure PRNG with them.
There is, however, no known workaround for #2. Generating a PGP-compliant
1024-bit RSA key on NOKIA 3410 takes at least 20 minutes. More than enough to
make casual users frustrated and throw away the whole thing. Now, of course,
such slow mobiles are not manufactured anymore, but even 2 minutes is
unacceptable, which is the norm for today's low-end phones. And since the market
values battery life much more than computational muscle (low-end phones are
very responsive at present clock rates) in mobiles, this is not going to improve
too rapidly.
--
Daniel
signature.asc
Description: OpenPGP digital signature