Jeffrey Walton <noloa...@gmail.com> writes: > > > > Also, if DSA was to be supported, one would need to specify how to > > determine the hash function (use of fixed SHA-1 doesn't fly). And > > 1024-bit prime is too small. > > > FIPS186-4 (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf) > partially remediates the issue. DSA now includes 2048 and 3072 sizes.
This is true, but if TLS 1.3 was to specify DSA, it should require the 2048 or 3072 sizes (since 1024 is last century's crypto), and existing implementations do not necessarily support those today. Which really highlights the question: who would actually use it? ECDSA can be smaller, faster, and more secure all at once; and if you don't like ECDSA or want an alternative, there's RSA. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
