Re: RFC: DSA key lengths; Elgamal type 16 v. type 20

"Brian M. Carlson" <karlsson@hal-pc.org> Tue, 27 August 2002 01:34 UTC

From: "Brian M. Carlson" <karlsson@hal-pc.org>
Date: Tue, 27 Aug 2002 01:24:40 +0000
To: Jon Callas <jon@callas.org>
Cc: OpenPGP <ietf-openpgp@imc.org>
Subject: Re: RFC: DSA key lengths; Elgamal type 16 v. type 20
Message-ID: <20020827012440.GA4124@stonewall>
References: <20020824220506.GC12225@stonewall> <B98DCB9B.7D7A40051510001001240420n@callas.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-ripemd160"; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C"
Content-Disposition: inline
In-Reply-To: <B98DCB9B.7D7A40051510001001240420n@callas.org>
User-Agent: Mutt/1.4i
Content-Conversion: prohibited
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk

On Sat, Aug 24, 2002 at 11:47:39PM -0700, Jon Callas wrote:
> 
> On 8/24/02 3:05 PM, "Brian M. Carlson" <karlsson@hal-pc.org> wrote:
> 
> > I'd like to nitpick for a second. Section 12.6 states, "Note that present
> > DSA is limited to a maximum of 1024 bit keys, which are recommended for
> > long-term use." Actually, it is DSS (the *standard*), not DSA (the
> > *algorithm*) that is limited to 1024 bits. I'd like to suggest that we
> > replace that sentence with, "DSA keys SHOULD NOT exceed a size of 1024
> > bits." This way, we can maintain backwards compatibility and compliance
> > with DSS, while providing adequate security for people who really want
> > it. Might I point out that IEEE P1363 allows for DSA keys longer than
> > 1024 bits, so there is precedent in the cryptographic community.
> > 
> 
> So far as I know, DSS or DSA, or whatever, mandates SHA-1. What hash
> algorithm does P1363 use with longer keys? What semantics does it have to go
> with it?

I believe it uses SHA1, because it keeps the size of q the same. You will
have to subscribe to the mailing list to get the password to fetch the
document.

Mailing List:
http://grouper.ieee.org/groups/1363/WorkingGroup/maillist.html

If it doesn't exist anymore, you can email me and ask for it.

> > I'd also like to suggest that we deprecate Elgamal type 16 in favor of
> > Elgamal type 20 combined with key flags. This is exactly what we did with
> > RSA types 2 and 3. It encourages implementations to implement key flags,
> > and it will lessen the usage of an encrypt-only type. It still allows
> > implementations to maintain backwards compatibility, because it does not
> > remove the type altogether.
> 
> Well, there are people who believe that Elgamal signatures should be
> deprecated, and were a mistake to put in the standard to begin with. I think
> it's better to leave it as it is and let gentle persons continue to
> disagree.

My point is not that we enforce the use of Elgamal signatures, but that
we encourage the use of key flags to signal the purpose of the key. I
think sign-only/encrypt-only keys are broken. If someone wants to create
a type 20 key with key flags packet that says it is for encryption only,
then that person should not be required to create that key (rather,
subkey) with the strict additional conditions for signatures. I also
think implementations should accept such keys as they currently accept
type 16 keys (PGP does not, I think).

As an additional benefit, if some implementations just happen to accept
Elgamal signatures, well, ok.

-- 
Brian M. Carlson <karlsson@hal-pc.org> <http://decoy.wox.org/~bmc> 0x560553E7
Now hatred is by far the longest pleasure;
Men love in haste, but they detest at leisure.
		-- George Gordon, Lord Byron, "Don Juan"

Re: RFC: DSA key lengths; Elgamal type 16 v. type… Werner Koch
RFC: DSA key lengths; Elgamal type 16 v. type 20 Brian M. Carlson
Re: RFC: DSA key lengths; Elgamal type 16 v. type… Jon Callas
Re: RFC: DSA key lengths; Elgamal type 16 v. type… disastry
Re: RFC: DSA key lengths; Elgamal type 16 v. type… Len Sassaman
Re: RFC: DSA key lengths; Elgamal type 16 v. type… Jon Callas
Re: RFC: DSA key lengths; Elgamal type 16 v. type… Brian M. Carlson