On Fri, Apr 5, 2013 at 3:12 PM, Tristan Seligmann <mithra...@mithrandi.net>wrote:
> DSA keys larger than 1024 bit(?) are "non-standard", but I think the > bigger issue is that DSA only supports 160-bit hashes; larger hashes will > be truncated, which means you don't gain much by using SHA-256/SHA-512/etc. > instead of SHA-1. DSA2 can handle larger hashes, but there's no real reason > to use DSA2 when RSA is so widespread. I think this is the reason the > defaults are changing (were changed?) in GnuPG. > As far as I can tell, the defaults are currently beyond plain old DSA. It appears this support has been in GnuPG since 2006 and in PGP since at least then, I would guess that it's been commonly available since 2008 or so. I'm not sure *why* it's DSA now, but I'm hoping the GPG people had good reasons :) (I'm guessing it's "adoption was sufficient that by the time we considered changing the default the reasons were no longer valid") For DSA, GPG selects the first hash algorithm in your digest preference list that is of size >= q. q is the hash size for your DSA key, which is hardcoded into the key. The defaults in GPG are: q = 160 for 1024 bit keys (i.e. plain old DSA) q = 224 for 1024 to 2048 bit keys q = 256 bit for 2048 to 3072 bit keys You can use gpg --list-packets to view this, but the output is a little obscure. It's easier to use pgpdump, which, for my key produces (truncated output): ==== Public Key Packet(tag 6)(1198 bytes) Ver 4 - new Public key creation time - Sun Oct 14 13:56:19 UTC 2012 Pub alg - DSA Digital Signature Algorithm(pub 17) DSA p(3072 bits) - ... DSA q(256 bits) - ... DSA g(3068 bits) - ... DSA y(3071 bits) - ... ==== The important bit is the q value: 256. Combined with my digest algorithm preferences, that means I'll get SHA-256 (first hash of sufficient size), not truncated (since 256 == 256 ;)). I guess this is drifting off-topic though... > Sure thing :D I wasn't trying to argue for any particular algorithm, but simply that: - if you have a recent key of maximum allowable size for whatever the default was on your system, you're probably fine - signing a bunch of SHA sums is fine, provided it's SHA-256 or better, preferably SHA-512 (SHA-3 wouldn't be wrong, but isn't commonly supported yet, and SHA-2 has withstood attempts to break it so far better than anyone anticipated, so we're good). cheers lvh
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
