Make --enable-dsa2 the default?
dshaw at jabberwocky.com
Mon May 18 15:24:25 CEST 2009
On May 18, 2009, at 1:15 AM, Werner Koch wrote:
> On Sun, 17 May 2009 19:26, dshaw at jabberwocky.com said:
>> I am cautiously in favor of this, but note this can change the
>> behavior of existing 1024-bit (i.e. old) DSA keys also. If, for
> Right, I checked this yesterday. Thus you mean we shall wait for that
> change a little bit longer? I would be fine with that too.
I wonder if the ideal change would be to remove the --enable-dsa2
block on new keys, but leave it in place in general. That would mean
that new q>160 keys could be generated (with a warning), and these
keys could use whatever hash was appropriate for them, but existing
q==160 keys would still be locked to SHA-1 or RIPEMD/160.
I'm okay with just waiting for a while longer, too.
More information about the Gnupg-devel