Make --enable-dsa2 the default?

David Shaw dshaw at jabberwocky.com
Sun May 17 19:26:22 CEST 2009


On May 17, 2009, at 8:07 AM, Werner Koch wrote:

> Hi!
>
> Now that GnuPG key generation defaults to RSA keys, we may want to  
> make
> the option --enable-dsa2 the default.  The man page currently reads:
>
>  @item --enable-dsa2
>  @itemx --disable-dsa2
>  Enables new-style DSA keys which (unlike the old style) may be larger
>  than 1024 bit and use hashes other than SHA-1 and RIPEMD/160. Note
>  that very few programs currently support these keys and signatures
>  from them.
>
> Folks not using the default parameters for a new key can be expected  
> to
> know what they are doing and thus --enable-dsa2 should not get into
> their way.  There will be warning anyway.

I am cautiously in favor of this, but note this can change the  
behavior of existing 1024-bit (i.e. old) DSA keys also.  If, for  
example, the user has set personal-digest-preferences to SHA256, then  
a truncated SHA256 will be used.  It is true, though, that this will  
only happen in cases where the user has changed the defaults (as  
personal-digest-preference defaults to SHA1).

David




More information about the Gnupg-devel mailing list