Re: RFC: DSA key lengths; Elgamal type 16 v. type 20

[Jon Callas <jon@xxxxxxxxxx>]

On 8/24/02 3:05 PM, "Brian M. Carlson" <karlsson@xxxxxxxxxx> wrote:

> I'd like to nitpick for a second. Section 12.6 states, "Note that present
> DSA is limited to a maximum of 1024 bit keys, which are recommended for
> long-term use." Actually, it is DSS (the *standard*), not DSA (the
> *algorithm*) that is limited to 1024 bits. I'd like to suggest that we
> replace that sentence with, "DSA keys SHOULD NOT exceed a size of 1024
> bits." This way, we can maintain backwards compatibility and compliance
> with DSS, while providing adequate security for people who really want
> it. Might I point out that IEEE P1363 allows for DSA keys longer than
> 1024 bits, so there is precedent in the cryptographic community.
> 

So far as I know, DSS or DSA, or whatever, mandates SHA-1. What hash
algorithm does P1363 use with longer keys? What semantics does it have to go
with it?

> I'd also like to suggest that we deprecate Elgamal type 16 in favor of
> Elgamal type 20 combined with key flags. This is exactly what we did with
> RSA types 2 and 3. It encourages implementations to implement key flags,
> and it will lessen the usage of an encrypt-only type. It still allows
> implementations to maintain backwards compatibility, because it does not
> remove the type altogether.

Well, there are people who believe that Elgamal signatures should be
deprecated, and were a mistake to put in the standard to begin with. I think
it's better to leave it as it is and let gentle persons continue to
disagree.

    Jon