Make --enable-dsa2 the default?

David Shaw dshaw at
Tue May 19 16:56:11 CEST 2009

On May 19, 2009, at 4:42 AM, Werner Koch wrote:

> On Mon, 18 May 2009 15:24, dshaw at said:
>> I wonder if the ideal change would be to remove the --enable-dsa2
>> block on new keys, but leave it in place in general.  That would mean
> You mean, in ask_keysize:
>  switch(algo)
>    {
>    case PUBKEY_ALGO_DSA:
>      if(opt.flags.dsa2)
> 	{
> 	  def=2048;
> 	  max=3072;
> 	}
>      else
> 	{
> 	  tty_printf(_("DSA keypair will have %u bits.\n"),1024);
> 	  return 1024;
> 	}
>      break;
> we simply remove the test and allow selection of the size?

Yes.  There are really two different things that --enable-dsa2  
actually enables.  First, it means that we can have a DSA key that is  
bigger than 1024 bits.  The other is that we can use hashes larger  
than the q size by truncating them.  If we make the ask_keysize  
change, we're always enabling the first one.  The code is smart enough  
to automatically enable the second one whenever it sees a key with q! 
=160, so DSA2 keys will always work properly.

It basically means we would redefine --enable-dsa2 to be "Allow hash  
truncation for existing DSA keys".


More information about the Gnupg-devel mailing list