----- Original Message -----
From: "Peter Gutmann" <pgut001(_at_)cs(_dot_)aucKland(_dot_)ac(_dot_)nz>
To: <bjueneman(_at_)novell(_dot_)com>;
<blake(_dot_)ramsdell(_at_)tumbleweed(_dot_)com>;
<dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil>; <ietf-smime(_at_)imc(_dot_)org>
Sent: Tuesday, November 28, 2000 2:10 PM
Subject: RE: RSA vs. DSA MUST
In case this is useful as a data point, in my general wandering around
looking
for certs on the net the only publicly available DSA certs I've ever found
were
some old Thawte ones, presumably created just to show'em (all the standard
Thawte certs are RSA, I don't think I've ever seen the DSA certs actually
used
to certify anything). I've also very occasionally come across them being
used
in closed environments (ie ones where interoperability with the masses
isn't
really an issue). I suspect the motivation for a lot of these is that
there's
a requirement to use a FIPS algorithm and DSA is the only choice. I can't
see
a MUST RSA, MAY DSA as being any real problem, it's just recognising what
has
been reality for the last few years.
Well, there is one problem, and it's due to the store-and-forwad nature of
e-mail which prevents negotiation, making it impossible to know whether a
given algorithm is supported by a new recipient (think, e.g., of signed
messages sent to mailing list). The result is that everybody ends up using
ONLY the common denominator, i.e. the "MUST" algorithms. Incidentally, this
was precisely the root of the trouble with 40-bit security in the bad old
days: a sort of Grisham's Law for algorithms...
In my opinion, "MAY" algorithms are pretty useless in non-interactive
contexts, and if DSA is not kept as a "MUST" (my preferred choice), it might
as well be dropped altogether.
Enzo