patents

[Werner Koch]

Jeremey Barrett <jeremey at bluemoney.com> writes:

> I would vote for DSA, since it is currently in PGP 5.x. Introducing
> another layer of incompatibility is not good for anyone, especially
> given that DSA is free worldwide.

If this is really true (and I don´t believe it especially because of the
Schnorr patent) we should do it.  Let´s see what the FSF says.

> Also, generating keys which are secure for ElGamal _signatures_ (not 
> encryption) is considerably harder than for DSA. I believe this was
> the reason PGP, Inc chose DSA over ElGamal for signatures.

No that´s not true.  I saw a message from Hal Finney (PGP Inc), which
said, that the key generation code for ElGamal is not good for signatures
and it is uncommented because of this - Implementing all requirements isn't
too much difficult (I have not yet done this - the current code generates
ElGamal keys just for the test the entire program).  Because DSA is build
upon ElGamal, all security issues of ElGamal are also valid for DSA.

By the Way:  DSA allows only keys up to 1024 bits; today this is enough, but
what's going on tomorrow - many folks are already using 2048 bits keys
(I don´t think that there is any need for them - but they are used).


Werner


-- 
Werner Koch, Duesseldorf  -   werner.koch at guug.de   -  PGP keyID: 0C9857A5