>> > > Also, if DSA was to be supported, one would need to specify how to >> > > determine the hash function (use of fixed SHA-1 doesn't fly). And >> > > 1024-bit prime is too small. >> > >> > FIPS186-4 >> > (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf) >> > partially remediates the issue. DSA now includes 2048 and 3072 >> > sizes. > > It still doesn't say exactly which hash should be used with which sizes.
I believe you are supposed to provide equivalent security levels across algorithms. If you are honoring NIST's recommendations, then you can find them in SP 800-57 Part 1, Revision 3 (http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf); and SP 800-131 A-Rev.1 (Draft) (http://csrc.nist.gov/publications/drafts/800-131A/sp800-131a_r1_draft.pdf). ECRYPT, NESSIE, and others provide similar recommendations. We can probably add the IETF to the list :) > and unlike RSA, the signature itself doesn't specify it either so hash > truncation attacks are not impossible > >> This is true, but if TLS 1.3 was to specify DSA, it should require the >> 2048 or 3072 sizes (since 1024 is last century's crypto), and >> existing implementations do not necessarily support those today. > > those sizes are not really interoperable: > https://bugzilla.redhat.com/show_bug.cgi?id=1238369 > because of the above (GnuTLS takes the conservative approach which is > incompatible with NSS implementation) > >> Which really highlights the question: who would actually use it? > > Since 1024 bit is too weak and 2048 bit and 3072 bit is underspecified > for TLS 1.2 it already isn't recommended for use (which means that the > biggest deployment of DSA - US Gov - can't really use those bigger > sizes, and in fact the Common Access Card already transitioned to RSA > with the change to 2048 bit). Regarding "who would actually use it": folks in US Federal (and those doing business in US Federal) don't have the choices that others have. Jeff _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
