status: establishing a PGP web of trust

Peter Lebbing peter at
Sat Oct 1 20:45:14 CEST 2011

On 01/10/11 18:51, brian m. carlson wrote:
> Point being, both DSA and RSA have their good and bad points, and if
> you're fairly confident that you have a good PRNG, such as /dev/urandom,
> then there's not really much concern about k.  After all, you also need
> a good PRNG for CFB IVs as well, although the consequences aren't as
> disastrous.

But you need a good PRNG for generating the session key, which is a lot more
important than the CFB IV.

But when it comes to signing stuff, not encryption, I suppose you can indeed use
RSA without a good PRNG.

The Debian OpenSSL debacle, however, rendered every DSA key *used* on such a
system useless, whereas RSA was only compromised when the key was *generated* on
such a box.

Personally, I see it as an advantage of RSA that using it with a poor PRNG
doesn't disclose your private key, but it wouldn't stop me from using ECDSA when
it is mainstream. Your PRNG simply shouldn't be bad when you do crypto.
Obviously software bugs can always happen, and in the specific Debian OpenSSL
instance it was worse for DSA, but the next big bug might by chance hurt RSA and
leave DSA in the clear.

And we have DSA to thank for the fun of Sony's silly mistake! :)


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at

More information about the Gnupg-users mailing list