Make --enable-dsa2 the default?
David Shaw
dshaw at jabberwocky.com
Tue May 19 16:56:11 CEST 2009
On May 19, 2009, at 4:42 AM, Werner Koch wrote:
> On Mon, 18 May 2009 15:24, dshaw at jabberwocky.com said:
>
>> I wonder if the ideal change would be to remove the --enable-dsa2
>> block on new keys, but leave it in place in general. That would mean
>
> You mean, in ask_keysize:
>
> switch(algo)
> {
> case PUBKEY_ALGO_DSA:
> if(opt.flags.dsa2)
> {
> def=2048;
> max=3072;
> }
> else
> {
> tty_printf(_("DSA keypair will have %u bits.\n"),1024);
> return 1024;
> }
> break;
>
> we simply remove the test and allow selection of the size?
Yes. There are really two different things that --enable-dsa2
actually enables. First, it means that we can have a DSA key that is
bigger than 1024 bits. The other is that we can use hashes larger
than the q size by truncating them. If we make the ask_keysize
change, we're always enabling the first one. The code is smart enough
to automatically enable the second one whenever it sees a key with q!
=160, so DSA2 keys will always work properly.
It basically means we would redefine --enable-dsa2 to be "Allow hash
truncation for existing DSA keys".
David
More information about the Gnupg-devel
mailing list