Re: kernel.org status: establishing a PGP web of trust
On Sat, Oct 01, 2011 at 07:01:14AM -0600, Aaron Toponce wrote: Having a sufficient amount of paranoia, would keep you from using DSA, I would think. I have an RSA key with RSA subkeys, but now that larger DSA keys are generally available, I'd be okay with revolving DSA signing subkeys. As you've pointed out, DSA has the disadvantage that k must always be different, but it also has advantages, one of them being that p, q, and g can be shared among a group of people such that p and q can be *proven* to be prime and generated in a reproducible way. Another one is that DSA signatures are smaller: there are two MPIs stored for each signature, but those MPIs are at most 256 bits long each, while for an RSA signature that was only 512 bits long, the security would be woefully inadequate. Point being, both DSA and RSA have their good and bad points, and if you're fairly confident that you have a good PRNG, such as /dev/urandom, then there's not really much concern about k. After all, you also need a good PRNG for CFB IVs as well, although the consequences aren't as disastrous. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: kernel.org status: establishing a PGP web of trust
On 01/10/11 18:51, brian m. carlson wrote: Point being, both DSA and RSA have their good and bad points, and if you're fairly confident that you have a good PRNG, such as /dev/urandom, then there's not really much concern about k. After all, you also need a good PRNG for CFB IVs as well, although the consequences aren't as disastrous. But you need a good PRNG for generating the session key, which is a lot more important than the CFB IV. But when it comes to signing stuff, not encryption, I suppose you can indeed use RSA without a good PRNG. The Debian OpenSSL debacle, however, rendered every DSA key *used* on such a system useless, whereas RSA was only compromised when the key was *generated* on such a box. Personally, I see it as an advantage of RSA that using it with a poor PRNG doesn't disclose your private key, but it wouldn't stop me from using ECDSA when it is mainstream. Your PRNG simply shouldn't be bad when you do crypto. Obviously software bugs can always happen, and in the specific Debian OpenSSL instance it was worse for DSA, but the next big bug might by chance hurt RSA and leave DSA in the clear. And we have DSA to thank for the fun of Sony's silly mistake! :) Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: kernel.org status: establishing a PGP web of trust
On 10/1/2011 9:01 AM, Aaron Toponce wrote: https://secure.wikimedia.org/wikipedia/en/wiki/Digital_Signature_Algorithm#Sensitivity This is an argument against having a *bad* DSA implementation, in the exact same way you shouldn't use a bad RSA implementation, either. RSA has just as many warnings -- take a look at how many times PKCS has been updated to reflect new understandings of RSA's risks. Having a sufficient amount of paranoia, would keep you from using DSA, I would think. That's the same level of paranoia that led to Kurt Goedel starving to death because he was afraid of how everyone around him was trying to poison him. I don't think we should recommend that level of paranoia. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
