Re: NIST publishes new DSA draft
David Shaw <dshaw@jabberwocky.com> Thu, 16 March 2006 19:55 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FJyZ9-0008GW-Hg for openpgp-archive@lists.ietf.org; Thu, 16 Mar 2006 14:55:23 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FJyZ9-0006YI-3q for openpgp-archive@lists.ietf.org; Thu, 16 Mar 2006 14:55:23 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2GJSXNZ015826; Thu, 16 Mar 2006 12:28:33 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2GJSX5D015825; Thu, 16 Mar 2006 12:28:33 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2GJSWPM015813 for <ietf-openpgp@imc.org>; Thu, 16 Mar 2006 12:28:33 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k2GJSTk17364; Thu, 16 Mar 2006 14:28:29 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id k2GJSR6c009284; Thu, 16 Mar 2006 14:28:27 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k2GJSNP1009978; Thu, 16 Mar 2006 14:28:23 -0500
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k2GJSNRi009977; Thu, 16 Mar 2006 14:28:23 -0500
Date: Thu, 16 Mar 2006 14:28:23 -0500
From: David Shaw <dshaw@jabberwocky.com>
To: Hal Finney <hal@finney.org>
Cc: ietf-openpgp@imc.org
Subject: Re: NIST publishes new DSA draft
Message-ID: <20060316192823.GA9945@jabberwocky.com>
Mail-Followup-To: Hal Finney <hal@finney.org>, ietf-openpgp@imc.org
References: <20060314194447.4D59A57FB0@finney.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20060314194447.4D59A57FB0@finney.org>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.11
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
On Tue, Mar 14, 2006 at 11:44:47AM -0800, "Hal Finney" wrote: > The main question is whether we want to change the current draft to make > these changes. That would probably require backing it out of "last > call" status. Personally I think this makes sense. There is no one > waiting urgently for this draft to be finalized AFAIK. The alternative > will be to immediately amend the RFC with another RFC. But for the sake > of future implementors I think it would be better to wait a few months > more and put it all into one draft. I agree with this. It is unfortunate, but will ultimately result in a better RFC. > We do not have an algorithm ID for SHA-224. SHA-224 is the same > algorithm as SHA-256 but uses different initial values internally, > and then truncates the result to 224 bits. I don't see any advantage > in this case to using SHA-224 over using SHA-256 truncated to 224 bits. > However we might want to add an ID for it in case an implementor wanted > to follow the new DSS spec very closely. Given that the main alternative is truncated SHA-256, which implies SHA-256 support in the first place, and the code difference between SHA-256 and 224 is simple to say the least (as you say, same algorithm), I think we should add the ID (#7 ?) for SHA-224. It's a checkbox item that we can trivially support. > The simplest change we could make would be to allow that DSA keys can > use modulus "p" and subgroup "q" values of the specified sizes, based > on the table above. Hashes should be equal in size or larger than the > "q" size. Hashes larger than the "q" size should be left-truncated. > Then we could note that for DSS compliance the hashes must be taken from > the SHA family, either SHA-1 or one of the larger SHA's. > > We might want to think about making SHA-256 be another MUST algorithm. > The only MUST hash now is SHA-1. Making SHA-256 be a MUST would make > these new key sizes be more useful, and also give us an easier fallback > if SHA-1 should be broken. Unless DSA2 is also a MUST, I wonder what the practical advantage to that would be (beyond making the social point that we really, really want people to move away from SHA-1). Since an OpenPGP program would not necessarily know whether the recipient could handle SHA-256 (SHA-256 dates from around 2004, implementation-wise), it would have to use SHA-1 in many or most cases anyway. Obviously a DSA2 signature wouldn't be expected to work, but an RSA signature would have this problem, and DSA1 (using a truncated SHA-256) would have the problem as well for both truncation and SHA-256 reasons. A few months back you asked the question whether new DSAs would best be supported by extending the definition of the current DSA, or by assigning a new algorithm ID for DSA2. At the time, most people (myself included) felt that extending the current DSA would be the right answer. Now that we have actual information about DSA2, perhaps it would be worth revisiting that question. A new algorithm ID for DSA2 resolves a number of problems in one fell swoop as there is no expectation of interoperability. SHA-256 is always usable (effectively the default) for DSA2, and there is no problem with knowing when it is possible to use truncation (always). > I also think we should change the names of SHA256 etc to use dashes > as in SHA-256; those are the official names. To be clear here: are you referring to changing the descriptive text in the draft or changing the hash name strings as used in clearsigned message "Hash:" headers? The first is easy and I agree should be done, the second has compatibility implications. David
- NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft "Hal Finney"
- Re: NIST publishes new DSA draft James Couzens
- Re: NIST publishes new DSA draft "Hal Finney"
- Re: NIST publishes new DSA draft James Couzens
- Re: NIST publishes new DSA draft "Hal Finney"
- Re: NIST publishes new DSA draft Ian Grigg
- Re: NIST publishes new DSA draft Werner Koch
- Re: NIST publishes new DSA draft Ben Laurie
- Re: NIST publishes new DSA draft Ben Laurie
- Re: NIST publishes new DSA draft vedaal
- RE: NIST publishes new DSA draft Anton Stiglic
- Re: NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft "Hal Finney"
- Re: NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft Ian G
- Re: NIST publishes new DSA draft Werner Koch
- Re: NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft Jon Callas
- Re: NIST publishes new DSA draft Jon Callas
- Re: NIST publishes new DSA draft Ian G
- Re: NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft Tony Hansen
- Re: NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft Ben Laurie
- Re: NIST publishes new DSA draft Jon Callas
- Re: NIST publishes new DSA draft Jon Callas
- Re: NIST publishes new DSA draft Ben Laurie
- Re: NIST publishes new DSA draft Jon Callas