On Wed, Sep 13, 2017 at 10:32 AM, Don Armstrong <[email protected]> wrote:
> On Tue, 12 Sep 2017, Greg Wooledge wrote: > > More recently, it has been learned that the DSA keys are "weak" > > (citation needed), and so the recommendations have shifted. > > https://security.stackexchange.com/questions/ > 112802/why-openssh-deprecated-dsa-keys > and https://weakdh.org/ explain some of the rationale. Just thinking out loud for those who won't read that article: One of its main points is not that DSA is cryptographically weak, as has been broadly mentioned. Rather that a coding flaw in ssh-keygen limits the key-size for DSA to 1024 because the developers did not track the evolving FIPS standards. Quoting: "This can be viewed as a case of OpenSSH developers being proactive in their notion of security and are ready to force users to use strong crypto. Another way of seeing the very same sequence of decisions is that OpenSSH developers blundered badly at some point because of some poor reading of FIPS 186, and then sought to cover it in the equivalent of dumping at sea the corpse of the inconvenient husband."
