On Friday 28 August 2015 20:17:11 Geoffrey Keating wrote: > Jeffrey Walton <noloa...@gmail.com> writes: > > > Also, if DSA was to be supported, one would need to specify how to > > > determine the hash function (use of fixed SHA-1 doesn't fly). And > > > 1024-bit prime is too small. > > > > FIPS186-4 > > (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf) > > partially remediates the issue. DSA now includes 2048 and 3072 > > sizes.
It still doesn't say exactly which hash should be used with which sizes. and unlike RSA, the signature itself doesn't specify it either so hash truncation attacks are not impossible > This is true, but if TLS 1.3 was to specify DSA, it should require the > 2048 or 3072 sizes (since 1024 is last century's crypto), and > existing implementations do not necessarily support those today. those sizes are not really interoperable: https://bugzilla.redhat.com/show_bug.cgi?id=1238369 because of the above (GnuTLS takes the conservative approach which is incompatible with NSS implementation) > Which really highlights the question: who would actually use it? Since 1024 bit is too weak and 2048 bit and 3072 bit is underspecified for TLS 1.2 it already isn't recommended for use (which means that the biggest deployment of DSA - US Gov - can't really use those bigger sizes, and in fact the Common Access Card already transitioned to RSA with the change to 2048 bit). -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
