Re: RFC: DSA key lengths; Elgamal type 16 v. type 20
Len Sassaman <rabbi@abditum.com> Mon, 26 August 2002 21:12 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA22558 for <openpgp-archive@lists.ietf.org>; Mon, 26 Aug 2002 17:12:38 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g7QKuAF10650 for ietf-openpgp-bks; Mon, 26 Aug 2002 13:56:10 -0700 (PDT)
Received: from thetis.deor.org (thetis.deor.org [207.106.86.210]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g7QKu8210644 for <ietf-openpgp@imc.org>; Mon, 26 Aug 2002 13:56:08 -0700 (PDT)
Received: by thetis.deor.org (Postfix, from userid 500) id BE62C4501B; Mon, 26 Aug 2002 13:56:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by thetis.deor.org (Postfix) with ESMTP id AAE7D48023; Mon, 26 Aug 2002 13:56:07 -0700 (PDT)
Date: Mon, 26 Aug 2002 13:56:07 -0700
From: Len Sassaman <rabbi@abditum.com>
X-Sender: <rabbi@thetis.deor.org>
To: Jon Callas <jon@callas.org>
Cc: "Brian M. Carlson" <karlsson@hal-pc.org>, OpenPGP <ietf-openpgp@imc.org>
Subject: Re: RFC: DSA key lengths; Elgamal type 16 v. type 20
In-Reply-To: <B98DCB9B.7D7A%jon@callas.org>
Message-ID: <Pine.LNX.4.30.QNWS.0208260007310.19973-100000@thetis.deor.org>
X-AIM: Elom777
X-icq: 10735603
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
On Sat, 24 Aug 2002, Jon Callas wrote: > So far as I know, DSS or DSA, or whatever, mandates SHA-1. What hash > algorithm does P1363 use with longer keys? What semantics does it have to go > with it? P1363 doesn't seem to be linked off of the IEEE site anymore. Does anyone have a copy they can mirror? I think Brian is right, though. While DSS (in FIPS 186 and ANSI X9.30) mandates SHA-1 and limits p to 1024 bits, OpenPGP is specifying DSA, not DSS. I understand DSA to be limited to 1024 bits when using a 160 bit hash. Using a larger hash would allow for larger key sizes. There has been some speculation that a revised DSS may be specified by NIST using the new larger SHA hashes. Should we anticipate this and add the new SHAs (at least SHA-512) to the spec? FWIW, I believe that one of the "ckt" unofficial builds of PGP used larger DSA keys with "double width SHA1". (I'm surprised, actually, that RFC 2440 even specifies double-width SHA1, since it's my understanding that most cryptographers are skeptical that double-width SHA1 is any better than single-width SHA1 for DSA.) Shouldn't wide SHA1 be deprecated in favor of one of the newer NIST SHAs? --Len.
- Re: RFC: DSA key lengths; Elgamal type 16 v. type… Werner Koch
- RFC: DSA key lengths; Elgamal type 16 v. type 20 Brian M. Carlson
- Re: RFC: DSA key lengths; Elgamal type 16 v. type… Jon Callas
- Re: RFC: DSA key lengths; Elgamal type 16 v. type… disastry
- Re: RFC: DSA key lengths; Elgamal type 16 v. type… Len Sassaman
- Re: RFC: DSA key lengths; Elgamal type 16 v. type… Jon Callas
- Re: RFC: DSA key lengths; Elgamal type 16 v. type… Brian M. Carlson