Re: RFC: DSA key lengths; Elgamal type 16 v. type 20

Jon Callas <> Mon, 26 August 2002 22:44 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id SAA24661 for <>; Mon, 26 Aug 2002 18:44:26 -0400 (EDT)
Received: by (8.11.6/8.11.3) id g7QMZEF13195 for ietf-openpgp-bks; Mon, 26 Aug 2002 15:35:14 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with ESMTP id g7QMZC213190 for <>; Mon, 26 Aug 2002 15:35:12 -0700 (PDT)
Received: from [] ( by with ESMTP (Eudora Internet Mail Server 3.1.2) for <>; Mon, 26 Aug 2002 15:35:03 -0700
User-Agent: Microsoft-Entourage/
Date: Mon, 26 Aug 2002 15:35:11 -0700
Subject: Re: RFC: DSA key lengths; Elgamal type 16 v. type 20
From: Jon Callas <>
To: OpenPGP <>
Message-ID: <>
In-Reply-To: <>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
Content-Transfer-Encoding: 7bit

On 8/26/02 1:56 PM, "Len Sassaman" <> wrote:

> I think Brian is right, though. While DSS (in FIPS 186 and ANSI X9.30)
> mandates SHA-1 and limits p to 1024 bits, OpenPGP is specifying DSA, not
> DSS.

I think quibbling over the differences between DSS and DSA is as productive
as quibbling over the differences between DES and DEA. I have heard it
asserted that 3DES should actually be called 3DEA because the process of
tripling is violates the standard. Whatever. We all know what it means.

We need to figure out what the smart thing to do is, and if I need to edit
an S into an A or vice-versa, it's trivial to do that.

However, I want to quit tweaking and get a new RFC number on it.

> I understand DSA to be limited to 1024 bits when using a 160 bit hash.
> Using a larger hash would allow for larger key sizes. There has been some
> speculation that a revised DSS may be specified by NIST using the new
> larger SHA hashes. Should we anticipate this and add the new SHAs (at
> least SHA-512) to the spec?

We anticipated this as of bis03, August 2000. All the wide SHAs are there.

> FWIW, I believe that one of the "ckt" unofficial builds of PGP used larger
> DSA keys with "double width SHA1". (I'm surprised, actually, that RFC 2440
> even specifies double-width SHA1, since it's my understanding that most
> cryptographers are skeptical that double-width SHA1 is any better than
> single-width SHA1 for DSA.) Shouldn't wide SHA1 be deprecated in favor of
> one of the newer NIST SHAs?

The double-wide SHA work was done pre-2440. It was done pre-me. As I
remember what I was told, it was experimental work done by Colin Plumb and
Derek Atkins, but maybe Hal Finney was involved. In any event, the present
language says, "Reserved for double-width SHA (experimental, obviated)." I
am happy to change that to say merely "Reserved" lest someone get the idea
it is useful. There are also no OIDs for DWSHA.