[Ach] Fwd: DSA keysize constraints

Aaron Zauner azet at azet.org
Tue Nov 5 14:30:54 CET 2013


FWD to correct mailing list

Begin forwarded message:

> From: Aaron Zauner <azet at azet.org>
> Subject: DSA keysize constraints
> Date: 5 Nov 2013 14:24:13 GMT+1
> To: discuss at lists.cert.at
> 
> Hi,
> 
> I’ve opened a thread regarding DSA keysizes in openssh on their development mailing list [0] - to my surprise it’s not as easy as patching the code to support keylenghts 1024+bit. The Digital Signature Standard (as implemented in OpenSSH) mandates SHA1 which prevents anyone from using keylenghts of above 1024bits [1], there was some discussion on the IETF mailing list about 5 years ago [2], but nothing changed in the end. 
> 
> The question now is - should we tell users to avoid DSA completely? Should we recommend RSA or even ECDSA host keys?
> 
> Input welcome.
> 
> Thanks,
> Aaron
> 
> 
> [0] - http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-November/031764.html
> [1] - https://bugzilla.mindrot.org/show_bug.cgi?id=1647
> [2] - http://thread.gmane.org/gmane.ietf.secsh/6186/focus=6193

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131105/6feae5a8/attachment.sig>


More information about the Ach mailing list