Will DSS keys still be preferred over RSA in a few months?
Ulf Möller
ulf@fitug.de
Sun, 9 Jul 2000 11:36:43 -0400
On Thu, Jul 06, 2000 at 04:16:42PM +0200, Werner Koch wrote:
> No DSS will still be deafault. There are no additional benefits from
> using RSA (except that it is somewaht bit faster) given the fact that
> we do not have a larger hash algorithm for a larger DSA like signature
> algorithm and that the DSA signature matieral is shorter than the one
> created with RSA.
There is one huge benefit: RSA signatures use PKCS #1 encoding, so
that the DigestInfo is authenticated.
For OpenPGP's DSA signatures, the hash algorithm can be freely chosen
but is unauthenticated. That means that it is sufficient to find a
collision in any one of the supported OpenPGP hash functions
(which include MD5 and MD2) to forge a DSA signature.
As long as OpenPGP doesn't fix this cryptographic weakness, RSA should
be preferred if at all possible.
[NB: You should not refer to the algorithm used in OpenPGP as DSS. The
Digital Signature Standard requires the use of SHA-1.]