On 08/28/2015 08:17 PM, Geoffrey Keating wrote:
Jeffrey Walton <noloa...@gmail.com> writes:Also, if DSA was to be supported, one would need to specify how to determine the hash function (use of fixed SHA-1 doesn't fly). And 1024-bit prime is too small.FIPS186-4 (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf) partially remediates the issue. DSA now includes 2048 and 3072 sizes.This is true, but if TLS 1.3 was to specify DSA, it should require the 2048 or 3072 sizes (since 1024 is last century's crypto), and existing implementations do not necessarily support those today.
That's sort of a generic statement. I know NSS supports 2048 and 3072 bit DSA.
Which really highlights the question: who would actually use it? ECDSA can be smaller, faster, and more secure all at once; and if you don't like ECDSA or want an alternative, there's RSA. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
