> On Aug 28, 2015, at 8:41 PM, Steve <[email protected]> wrote: > > In my mind, it ought to be > disabled by default so that you have to know you are lowering, *almost* > to the point of entirely loosing your security, when you activate it.
Not to get too far off topic, but is there actually any evidence to back up that statement? I've been searching for a number of years for someone who can speak intelligently on the topic. As I understand it, statements like this are parroted simply due to key sizes. While ssh-keygen can only create DSA keys of 1024 bits, openssl can generate arbitrarily large DSA keys that can be used with OpenSSH. Do you know of any specific weaknesses of DSA? If DSA is inherently weak, wouldn't that also render ECDSA similarly weak? Bonus points if you work for the NSA and have something to disclose. Bringing this back to the topic at hand, I see no evidence (though, I would be grateful to be presented with some!) to outright blacklist DSA. Though, as has been done with other algorithms, requiring a minimum key length would be prudent. -- Brian Bennett Systems Engineer, Cloud Operations Joyent, Inc. | www.joyent.com
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
