Peter Lebbing peter at
Wed Nov 12 14:28:05 CET 2014

On 10/11/14 17:31, Werner Koch wrote:
> Which is used in 2.1: 

That's great to hear, just like it is in general pretty great you got to
release a major new version! Congratulations!

After browsing a bit in the source, I conclude that RFC 6979 is used for
both classic DSA and ECDSA; something not immediately apparent from the
commit message when you don't know the code.

After reading parts of the Ed25519 specification[1], given the way they
formulate it there, I was left with the impression that ECDSA is
necessarily bound to real randomness. I completely forgot that RFC 6979
is cleverly designed to be a drop-in replacement with no changes needed
on the receiving side.

With Pete Stephenson also rightly calling out my wrong statement on the
Brainpool curves, I've come to regret my too hastily written reply. I
should have checked my statements. I already had enough doubt to qualify
my statement with "and (I believe also) Brainpool". There is enough FUD
out there without me adding to that :(.

But I'm glad people were quick to point out my factual errors. Thanks!


[1] Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B. Yang,
"High-speed high-security signatures", Journal of Cryptographic
Engineering Volume 2, Issue 2, pp. 77-89, September 2011,

PS: Is there a better way to say "classic DSA"? What about
"ElGamal-style DSA"?

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list