Reminder about GPG 1.4.4 and the new DSA

David Shaw dshaw at jabberwocky.com
Sun Jun 25 18:24:05 CEST 2006


Hi folks,

GnuPG 1.4.4 was released today, and it contains a new feature
(--enable-dsa2) that needs a bit of explanation.  For many years, the
DSA signing algorithm has been limited in two ways: first, you could
not create a key larger than 1024 bits, and second, the key could only
use a 160-bit hash, which in practice meant either SHA-1 or
RIPEMD/160.

Recently, the long awaited update to DSA was released by NIST.  Most
people have been calling it DSA2, though the official name has not
changed.  DSA2 allows for much larger keys and can work with almost
any hash.

The last release of GnuPG (1.4.3) contained limited support for DSA2
so it could at least verify (most) DSA2 signatures.  Today's release
of GnuPG (1.4.4) contains full support for DSA2.  You can now generate
DSA2 keys and you can issue DSA2 signatures.  However, (and here's the
problem): no other OpenPGP programs can currently use (all of) DSA2.
No doubt that over the coming months and years, other OpenPGP programs
will add support for DSA2, but this does not exist today.

If you want to experiment with DSA2, that's fine, but fair warning:
until other OpenPGP programs add DSA2 support, using DSA2 means
isolating yourself to a GPG 1.4.3 or 1.4.4 world.

David



More information about the Gnupg-users mailing list