Will DSS keys still be preferred over RSA in a few months?

Ulf Möller ulf at fitug.de
Sun Jul 9 12:36:43 CEST 2000

On Thu, Jul 06, 2000 at 04:16:42PM +0200, Werner Koch wrote:

> No DSS will still be deafault.  There are no additional benefits from
> using RSA (except that it is somewaht bit faster) given the fact that
> we do not have a larger hash algorithm for a larger DSA like signature
> algorithm and that the DSA signature matieral is shorter than the one
> created with RSA.

There is one huge benefit: RSA signatures use PKCS #1 encoding, so
that the DigestInfo is authenticated.

For OpenPGP's DSA signatures, the hash algorithm can be freely chosen
but is unauthenticated. That means that it is sufficient to find a
collision in any one of the supported OpenPGP hash functions
(which include MD5 and MD2) to forge a DSA signature.

As long as OpenPGP doesn't fix this cryptographic weakness, RSA should
be preferred if at all possible.

[NB: You should not refer to the algorithm used in OpenPGP as DSS. The
Digital Signature Standard requires the use of SHA-1.]

More information about the Gnupg-devel mailing list