On Thu, Mar 8, 2012 at 1:49 PM, Raymond Lillard <r...@sonic.net> wrote: > Why does starttls(8) describe only DSA ? ... > Is this just because nobody has updated the man > page, and are there reasons to prefer one over > the other?
For quite a while, DSA *was* the Mandatory-To-Implement authentication algorithm for TLS. That changed only after RSA went out of patent protection. Updating the page would be a good thing, if anyone has time... > I am being pressured to "fix" this. > > Should I dig into this and figure out how to > use both? It looks like the easy thing to > do is regenerate the certs with RSA alone. > Is that advisable? IMO, that's probably the best thing to do. If you have some sort of PKI infrastructure around your existing key(s), then it _might_ be useful to rebuild sendmail to support configuring it with *both* RSA and DSA keys, but I doubt it would be worth the complexity. Philip Guenther