IETF Logo Mail Archive

Re: NIST publishes new DSA draft

David Shaw <dshaw@jabberwocky.com> Thu, 16 March 2006 21:22 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FJzvO-00050d-QZ for openpgp-archive@lists.ietf.org; Thu, 16 Mar 2006 16:22:26 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FJzvO-0001R3-E0 for openpgp-archive@lists.ietf.org; Thu, 16 Mar 2006 16:22:26 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2GKpArU018960; Thu, 16 Mar 2006 13:51:10 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2GKpA9p018959; Thu, 16 Mar 2006 13:51:10 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2GKp9vN018953 for <ietf-openpgp@imc.org>; Thu, 16 Mar 2006 13:51:10 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k2GKp8k17729; Thu, 16 Mar 2006 15:51:08 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id k2GKp76c009560; Thu, 16 Mar 2006 15:51:07 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k2GKp2tb010073; Thu, 16 Mar 2006 15:51:02 -0500
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k2GKp2Px010072; Thu, 16 Mar 2006 15:51:02 -0500
Date: Thu, 16 Mar 2006 15:51:02 -0500
From: David Shaw <dshaw@jabberwocky.com>
To: Hal Finney <hal@finney.org>
Cc: ietf-openpgp@imc.org
Subject: Re: NIST publishes new DSA draft
Message-ID: <20060316205102.GB9834@jabberwocky.com>
Mail-Followup-To: Hal Finney <hal@finney.org>, ietf-openpgp@imc.org
References: <20060316201951.3A87557FB0@finney.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20060316201951.3A87557FB0@finney.org>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.11
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cab78e1e39c4b328567edb48482b6a69

On Thu, Mar 16, 2006 at 12:19:51PM -0800, "Hal Finney" wrote:
> David Shaw writes:
> > Unless DSA2 is also a MUST, I wonder what the practical advantage to
> > that would be (beyond making the social point that we really, really
> > want people to move away from SHA-1).  Since an OpenPGP program would
> > not necessarily know whether the recipient could handle SHA-256
> > (SHA-256 dates from around 2004, implementation-wise), it would have
> > to use SHA-1 in many or most cases anyway.  Obviously a DSA2 signature
> > wouldn't be expected to work, but an RSA signature would have this
> > problem, and DSA1 (using a truncated SHA-256) would have the problem
> > as well for both truncation and SHA-256 reasons.
> 
> OK, but maybe a "SHOULD" like Werner suggested, then?

Absolutely.  I'm in favor of SHOULD.  This implies that DSA with
160-bit q is a MUST (as it is now), and DSA with >160-bit q is not a
MUST (though an implementation must at least know that DSA might have
a larger q and not blow up).

> At this point I like the idea of keeping the same algorithm ID.  All the
> code and algorithms are the same, so using a different alg ID just
> for different key sizes doesn't really make sense.  Using a different
> algorithm ID will be, from the future perspective, a historical artifact.
> And I don't see that it really helps interoperability to use a new ID.
> Either way, the bottom line is that old code won't work with the new
> keys and new code will.  Plus it makes implementation of the change a
> lot easier - granted, a minor point, but on top of everything else I
> see this as the preferable strategy.

While I agree that the bottom line is that the old code won't work and
the new code will, using a different algorithm ID potentially gives a
better (and more user-comprehensible) error than using the same
algorithm ID does when the old code doesn't work.  That is to say, it
may fail "prettier" (it does in the GPG case).  I don't think it's
that big of a deal, and I'm not arguing for it.

On a related issue, do you think a feature flag to indicate the
ability to handle a truncated hash would be a good idea?  I'm leaning
towards no, as it would only be really useful in the sign+encrypt case
(where the implementation knows who the recipient(s) are and can thus
consult feature flags), but perhaps that's enough to justify it.

David

v2.23.0 | Report a Bug | By Email