Questions about generating keys (hash firewalls)

[Doug Barton]

On Fri, 24 Aug 2007, David Shaw wrote:

> On Fri, Aug 24, 2007 at 09:06:24PM +0300, Oskar L. wrote:
>
>> Do hash firewalls have any drawbacks (performance decrease, difficult to
>> implement, patent issues etc.)? What's the reason DSA doesn't have one?
>
> I suspect a major reason is the main use of DSA is really DSS - and
> DSS was never intended to be used with any hash other than SHA-1.
>
> It gets a little stickier with DSA2/DSS2 where there are several
> possible hashes.  For example, a 1024/160 DSA key can use SHA1, but
> also SHA224, SHA256, SHA384, or SHA512, by truncating them to 160
> bits.

I've followed this thread with interest, since my only signing key is a 
1024 DSA key, and I'm considering options for what my "next" key should 
be.

It almost sounds from what you're saying above that there actually is an 
argument for RSA's hash firewall being "better" than DSA[2] here, but if I 
correctly understood what you said later in the thread, the margin by 
which it's "better" is so small as to not be worth considering. Is that 
more or less correct?

The other question I had is about what you said above regarding truncating 
hashes with DSA2. Am I understanding correctly that even with DSA2 the 
hash size can be no larger than 160 bits?

Thanks,

Doug (who hopes these questions aren't too dopey)

-- 

 	If you're never wrong, you're not trying hard enough