ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: RSA vs. DSA MUST

2000-11-28 10:30:02
from [David P. Kemp] [Permanent Link] 
Enzo has captured the chicken-and-egg essence of my concern.  The U.S.
Government has a requirement to purchase products which support FIPS
186-2 algorithms (this includes DSA and ANSI X9.31 RSA, but not PKCS-1
RSA).  And, at least in the DoD, we have requirements coming from our
customers to be algorithm independent:

  "PKI must support a variety of public key cryptographic algorithms
   both in the public/private key pairs created and certified by PKI,
   and in the algorithms used to apply digital signatures to certificates
   and other PKI products.  PKI must support the concurrent use of several
   digital signature algorithms for issuing certificates and must be able
   to migrate over time to using new signature algorithms."

           -- DoD PKI Operational Requirements Document, 22 October 2000


There is also the fact that DSA signatures are significantly smaller
than RSA signatures, especially as we move to public keys above 1024 bits
and the signature could be bigger than the entire to-be-signed certificate.
This doesn't matter in many environments, but it does in some.

If vendors look at what certificates have already been issued to decide
what certificates to support in products under development, we will never
evolve.  I favor keeping DSA (in addition to RSA) as a MUST for S/MIME
clients because algorithm independence is valuable in and of itself.

Dave




From: "Enzo Michelangeli" <em(_at_)who(_dot_)net>

Well, there is one problem, and it's due to the store-and-forwad nature of
e-mail which prevents negotiation, making it impossible to know whether a
given algorithm is supported by a new recipient (think, e.g., of signed
messages sent to mailing list). The result is that everybody ends up using
ONLY the common denominator, i.e. the "MUST" algorithms. Incidentally, this
was precisely the root of the trouble with 40-bit security in the bad old
days: a sort of Grisham's Law for algorithms...
In my opinion, "MAY" algorithms are pretty useless in non-interactive
contexts, and if DSA is not kept as a "MUST" (my preferred choice), it might
as well be dropped altogether.

Enzo
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RSA vs. DSA MUST, Bob Jueneman
Next by Date:  RE: RSA vs. DSA MUST, Ozan Gonenc
Previous by Thread:  Re: RSA vs. DSA MUST, Bob Jueneman
Next by Thread:  Re: RSA vs. DSA MUST, Aram Perez
Indexes:  [Date] [Thread] [Top] [All Lists]