Make --enable-dsa2 the default?

David Shaw dshaw at
Mon May 18 15:24:25 CEST 2009

On May 18, 2009, at 1:15 AM, Werner Koch wrote:

> On Sun, 17 May 2009 19:26, dshaw at said:
>> I am cautiously in favor of this, but note this can change the
>> behavior of existing 1024-bit (i.e. old) DSA keys also.  If, for
> Right, I checked this yesterday.  Thus you mean we shall wait for that
> change a little bit longer?   I would be fine with that too.

I wonder if the ideal change would be to remove the --enable-dsa2  
block on new keys, but leave it in place in general.  That would mean  
that new q>160 keys could be generated (with a warning), and these  
keys could use whatever hash was appropriate for them, but existing  
q==160 keys would still be locked to SHA-1 or RIPEMD/160.

I'm okay with just waiting for a while longer, too.


More information about the Gnupg-devel mailing list