In case this is useful as a data point, in my general wandering around looking
for certs on the net the only publicly available DSA certs I've ever found
were
some old Thawte ones, presumably created just to show'em (all the standard
Thawte certs are RSA, I don't think I've ever seen the DSA certs actually used
to certify anything). I've also very occasionally come across them being used
in closed environments (ie ones where interoperability with the masses isn't
really an issue). I suspect the motivation for a lot of these is that there's
a requirement to use a FIPS algorithm and DSA is the only choice. I can't see
a MUST RSA, MAY DSA as being any real problem, it's just recognising what has
been reality for the last few years.
DSA is not the ONLY asymmetric algorithm certifiable in FIPS 140-1/2, as it
references any algorithm published/referenced in a FIPS; X9.31 and X9.62 are
also specified in FIPS 186-2.
Remember that DSS it not DSA.
Looking forward (that's what this is about, isn't it?), there are three
asymmetric algorithms in FIPS 68-2: DSA, X9.31 RSA, and X9.62 ECDSA.
So, the motivation for a lot of those certificates based on FIPS 186-1 and FIPS
140-1, is not there anymore.
It is enough to support one of them for FIPS purposes, then the most common
one, RSA, should do fine. NIST certainly does not mandate all of them (FIPS
186-2, page 3, line 3).
Effective as of July 27, 2000, and with the prescribed transition period of
FIPS 186-2 from July 27 2000 to July 27 2001, that should give enough time to
make changes in a product line.
- Tolga