RFC: DSA key lengths; Elgamal type 16 v. type 20

"Brian M. Carlson" <karlsson@hal-pc.org> Sat, 24 August 2002 22:17 UTC

Received: from above.proper.com (mail.proper.com []) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA18775 for <openpgp-archive@lists.ietf.org>; Sat, 24 Aug 2002 18:17:27 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g7OM5Rr23495 for ietf-openpgp-bks; Sat, 24 Aug 2002 15:05:27 -0700 (PDT)
Received: from mail.hal-pc.org (mail.hal-pc.org []) by above.proper.com (8.11.6/8.11.3) with ESMTP id g7OM5Q223491 for <ietf-openpgp@imc.org>; Sat, 24 Aug 2002 15:05:26 -0700 (PDT)
Received: from [] (HELO stonewall) by mail.hal-pc.org (CommuniGate Pro SMTP 3.5.9) with SMTP id 18270920 for ietf-openpgp@imc.org; Sat, 24 Aug 2002 17:05:04 -0500
Received: by stonewall (sSMTP sendmail emulation); Sat, 24 Aug 2002 22:05:06 +0000
From: "Brian M. Carlson" <karlsson@hal-pc.org>
Date: Sat, 24 Aug 2002 22:05:06 +0000
To: ietf-openpgp@imc.org
Subject: RFC: DSA key lengths; Elgamal type 16 v. type 20
Message-ID: <20020824220506.GC12225@stonewall>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="ZmUaFz6apKcXQszQ"
Content-Disposition: inline
User-Agent: Mutt/1.4i
X-Operating-System: Linux stonewall 2.4.18-k7
Content-Conversion: prohibited
X-Request-PGP: http://decoy.wox.org/~bmc/openpgp/pub560553e7.asc
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

I'd like to nitpick for a second. Section 12.6 states, "Note that present
DSA is limited to a maximum of 1024 bit keys, which are recommended for
long-term use." Actually, it is DSS (the *standard*), not DSA (the
*algorithm*) that is limited to 1024 bits. I'd like to suggest that we
replace that sentence with, "DSA keys SHOULD NOT exceed a size of 1024
bits." This way, we can maintain backwards compatibility and compliance
with DSS, while providing adequate security for people who really want
it. Might I point out that IEEE P1363 allows for DSA keys longer than
1024 bits, so there is precedent in the cryptographic community.

I'd also like to suggest that we deprecate Elgamal type 16 in favor of
Elgamal type 20 combined with key flags. This is exactly what we did with
RSA types 2 and 3. It encourages implementations to implement key flags,
and it will lessen the usage of an encrypt-only type. It still allows
implementations to maintain backwards compatibility, because it does not
remove the type altogether.

Brian M. Carlson <karlsson@hal-pc.org> <http://decoy.wox.org/~bmc> 0x560553E7
I will make you shorter by the head.
		-- Elizabeth I