Make --enable-dsa2 the default?
dshaw at jabberwocky.com
Sun May 17 19:26:22 CEST 2009
On May 17, 2009, at 8:07 AM, Werner Koch wrote:
> Now that GnuPG key generation defaults to RSA keys, we may want to
> the option --enable-dsa2 the default. The man page currently reads:
> @item --enable-dsa2
> @itemx --disable-dsa2
> Enables new-style DSA keys which (unlike the old style) may be larger
> than 1024 bit and use hashes other than SHA-1 and RIPEMD/160. Note
> that very few programs currently support these keys and signatures
> from them.
> Folks not using the default parameters for a new key can be expected
> know what they are doing and thus --enable-dsa2 should not get into
> their way. There will be warning anyway.
I am cautiously in favor of this, but note this can change the
behavior of existing 1024-bit (i.e. old) DSA keys also. If, for
example, the user has set personal-digest-preferences to SHA256, then
a truncated SHA256 will be used. It is true, though, that this will
only happen in cases where the user has changed the defaults (as
personal-digest-preference defaults to SHA1).
More information about the Gnupg-devel