Re: NIST publishes new DSA draft
David Shaw <dshaw@jabberwocky.com> Fri, 17 March 2006 18:07 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FKJMa-0007uo-Tl for openpgp-archive@lists.ietf.org; Fri, 17 Mar 2006 13:07:48 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FKJMa-0007yh-Gw for openpgp-archive@lists.ietf.org; Fri, 17 Mar 2006 13:07:48 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2HHnoLi070981; Fri, 17 Mar 2006 10:49:50 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2HHno5H070980; Fri, 17 Mar 2006 10:49:50 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2HHnnI5070972 for <ietf-openpgp@imc.org>; Fri, 17 Mar 2006 10:49:49 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k2HHnhk23159; Fri, 17 Mar 2006 12:49:43 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id k2HHni6c014653; Fri, 17 Mar 2006 12:49:44 -0500
Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k2HHnbwh013529; Fri, 17 Mar 2006 12:49:37 -0500
Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k2HHnbAn013528; Fri, 17 Mar 2006 12:49:37 -0500
Date: Fri, 17 Mar 2006 12:49:37 -0500
From: David Shaw <dshaw@jabberwocky.com>
To: Werner Koch <wk@gnupg.org>
Cc: Ian G <iang@systemics.com>, Hal Finney <hal@finney.org>, ietf-openpgp@imc.org
Subject: Re: NIST publishes new DSA draft
Message-ID: <20060317174937.GC13241@jabberwocky.com>
Mail-Followup-To: Werner Koch <wk@gnupg.org>, Ian G <iang@systemics.com>, Hal Finney <hal@finney.org>, ietf-openpgp@imc.org
References: <20060314194447.4D59A57FB0@finney.org> <20060316192823.GA9945@jabberwocky.com> <441ACF45.704@systemics.com> <87fylhdq36.fsf@wheatstone.g10code.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <87fylhdq36.fsf@wheatstone.g10code.de>
OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc
User-Agent: Mutt/1.5.11
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
On Fri, Mar 17, 2006 at 04:54:21PM +0100, Werner Koch wrote: > > On Fri, 17 Mar 2006 16:01:25 +0100, Ian G said: > > >> right answer. Now that we have actual information about DSA2, perhaps > >> it would be worth revisiting that question. A new algorithm ID for > >> DSA2 resolves a number of problems in one fell swoop as there is no > >> expectation of interoperability. SHA-256 is always usable > >> (effectively the default) for DSA2, and there is no problem with > >> knowing when it is possible to use truncation (always). > > > Sounds good to me. > > I support this too. The majority of keys are DSA keys q=160 bit. > Having a new algorithm indentifier will help more than harm. Even though I originally brought it up, I've given this a good bit of additional thought while mailing with Hal on the list yesterday, and I think it really does come down to something as simple as a question of error messages. I'm not for a new algorithm ID. It breaks down like this: 1) a q==160 signature without truncation (hash size matches q exactly) 2) a q==160 signature with truncation (hash left-truncated to match q) 3) a q!=160 signature without truncation (hash size matches q exactly) 4) a q!=160 signature with truncation (hash left-truncated to match q) I'm not mentioning the larger key size in DSA2 as I believe that deployed code will handle larger DSA key sizes correctly. Obviously #1 isn't a problem, as it is what DSA is today. I think PGP can actually do #2, but for the sake of argument, let's say that nobody can do #2, #3, or #4 on current code. If we don't assign a new algo ID for DSA2, #3 and #4 will fail because of the wrong q size, and #2 will fail because of the truncation. If we do assign the new ID, as before #2, #3, and #4 will fail - but so will #1! Even though the signatures are compatible, the new algo ID will cause the signature to fail on the older implementation. This argues against a new algo ID. Even if we don't create DSA2 q=160 keys (internally changing them to DSA1 keys), this just returns the question to neutral, and the extra code complexity and questions (will it break any keyservers? It will certainly break pksd) of assigning the new algo ID argue against it. David
- NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft "Hal Finney"
- Re: NIST publishes new DSA draft James Couzens
- Re: NIST publishes new DSA draft "Hal Finney"
- Re: NIST publishes new DSA draft James Couzens
- Re: NIST publishes new DSA draft "Hal Finney"
- Re: NIST publishes new DSA draft Ian Grigg
- Re: NIST publishes new DSA draft Werner Koch
- Re: NIST publishes new DSA draft Ben Laurie
- Re: NIST publishes new DSA draft Ben Laurie
- Re: NIST publishes new DSA draft vedaal
- RE: NIST publishes new DSA draft Anton Stiglic
- Re: NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft "Hal Finney"
- Re: NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft Ian G
- Re: NIST publishes new DSA draft Werner Koch
- Re: NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft Jon Callas
- Re: NIST publishes new DSA draft Jon Callas
- Re: NIST publishes new DSA draft Ian G
- Re: NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft Tony Hansen
- Re: NIST publishes new DSA draft David Shaw
- Re: NIST publishes new DSA draft Ben Laurie
- Re: NIST publishes new DSA draft Jon Callas
- Re: NIST publishes new DSA draft Jon Callas
- Re: NIST publishes new DSA draft Ben Laurie
- Re: NIST publishes new DSA draft Jon Callas