DSA2 default status

David Shaw dshaw at jabberwocky.com
Wed Nov 18 15:47:47 CET 2009

The default for DSA2 in GPG is currently "off" - that is, by default, we fix the size of a DSA key at 1024 bits, and the q size (to specify the hash) at 160 bits.  We've supported DSA2 since mid-2006 (v1.4.4 - a year later in GPG2: v2.0.7), but it has always been restricted behind a --enable-dsa2 option to prevent people from shooting themselves and others in the foot by making keys that could not be widely used.  By passing --enable-dsa2, they "opt-in" to that risk, and can generate whatever key type they like.

Proposal: I think it's time to make --enable-dsa2 the default.  It's been supported for 3 years in GPG and almost as long in PGP.  Plus, the DSA key type is no longer the default in GPG anyway - it takes an explicit decision by a user to use DSA in the first place, which acts as the "opt-in".



More information about the Gnupg-devel mailing list