Hi, What is the rationale of using DSA keys (2048 bit) as default for genkeypair command? http://hg.openjdk.java.net/jdk/jdk/file/c4a39588a075/src/java.base/share/classes/sun/security/tools/keytool/Main.java#l1120
It seems a bad choice given that DSA keys are disabled via Fedora's crypto policy (not just OpenJDK, but other crypto providers too). Here the explanation from Nikos Mavrogiannopoulos from a Fedora bug[1] as to why that's a bad choice: """ DSA is not used by new security protocols any more (doesn't exist as a negotiation option under TLS1.3), and was a very rarely used option under previous protocols (TLS1.2 or earlier). In fact only DSA-1024 is documented under these protocols. DSA-2048 may or may not work depending on the implementation (and even worse may not interoperate). """ Could the default choice of keyalg for genkeypair be reconsidered? If not, why not? Thanks, Severin [1] https://bugzilla.redhat.com/show_bug.cgi?id=1582253
