Will DSS keys still be preferred over RSA in a few months?
L. Sassaman
rabbi@quickie.net
Mon, 10 Jul 2000 10:04:08 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 9 Jul 2000, [iso-8859-1] Ulf Möller wrote:
> On Sun, Jul 09, 2000 at 11:36:43AM -0400, Ulf Möller wrote:
>
> > but is unauthenticated. That means that it is sufficient to find a
> > collision in any one of the supported OpenPGP hash functions
> > (which include MD5 and MD2) to forge a DSA signature.
>
> That's not exactly accurate. Anyway, on the bottom line, OpenPGP RSA
> allows the signer to choose the (best) hash algorithm, and OpenPGP DSA
> allows the attacker to choose the (worst) hash algorithm.
Please explain this further. First of all, there is no difference between
"RSA" and "DSA" key usage in OpenPGP. I think that what you mean to
compare here is "v3" and "v4" keys. Is that correct?
Secondly, there is a self-signature preference for hash algorithms. It
would be very easy for an implementation to declare a signature "BAD" if a
hash was used that was not expressly permitted in the signing key's
self-signature pref for hashes. This, I think, is a worthwhile thing to
suggest to the working group.
__
L. Sassaman
System Administrator |
Technology Consultant | "Credo quia absurdum."
icq.. 10735603 |
pgp.. finger://ns.quickie.net/rabbi | --Tertullian
-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE5agIRPYrxsgmsCmoRArEOAKCroyCh02vlE9j/3qdtAKsn46awewCgiSpM
v+qozpxx2kRKNSI/DEvGQIc=
=Gt2H
-----END PGP SIGNATURE-----