[Q] DSA 1024-bit limit.

David Shaw dshaw@jabberwocky.com
Tue May 13 05:48:02 2003

Hash: SHA1

On Mon, May 12, 2003 at 08:09:08PM -0400, Daniel Carrera wrote:
> Hello all,
> I was thinking about the DSA 1024-bit limit.  Is that something I should 
> be worried about?  Is there any hope that this limit will be fixed in the 
> forseable future?
> If having a 1024-bit key now is cause for concern, then it will become a 
> real problem in a few years.
> From the resources people gave me I found some reasoning as to why signing 
> keys can afford to be less secure.  But I'd still be happier if they were 
> secure.

The DSA 1024-bit limit is not really a problem in practice.  DSA is
also limited to a 160-bit hash which is (some arm waving here) around
as "strong" as the 1024-bit key.  If you made a larger DSA key, then
the hash would become the weak point, and you didn't really gain

If you don't want to be limited to a 1024-bit signing key, don't use
DSA.  You can make an RSA signing key up to 4096 bits without any
special hackery.  There are drawbacks to this (such as a truly massive
signature size), but it's a good way to get a larger key size.

Some people (like me), have a 4096-bit RSA signing key, but use a
1024-bit DSA subkey for day to day use.

On Mon, May 12, 2003 at 08:28:26PM -0400, Daniel Carrera wrote:
> On a related note.  Is there any way that I can create a second key-pair 
> that has a signing key with more than 1024 bits?
> I know that this wouldn't comply with the DSA standard, but if I am in a 
> situation where I truly need security I might decide that I don't care 
> about the standard.  Having the option of a larger key would help my peace 
> of mind.

The problem with not caring about the standard is you can issue
massive signatures with a large DSA key.... but who is going to be
able to verify them?

Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc