[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Please restore ssh-dsa (was: cvs: Permission denied (publickey).)



On Sun, Aug 24, 2008 at 09:34:36AM -0600, Stephen John Smoogen wrote:
> >> >    * ssh_key: Error - Not a valid RSA SSH key: ssh-dss ...
> >> >
> >> > Have DSA keys now been banned?
> >>
> >> Yes.
> >>
> >> > Why?
> >>
> >> The primary reason is that it's nearly impossible to tell if the key
> >> was generated on a Debian system with the compromised OpenSSL
> >> versions.
> >
> > That's overreacting. What happens if Gentoo makes a similar mistake
> > with RSA keys, will we ban them, too? DSA is a decent technology.
> 
> No because RSA doesn't leak information into your public key nor does
> it rely on the 'random' secret key to the same extent. Th

Your mixing different issues: What you are referring to is using a
good DSA key from a bad host. The context above was about the DSA/RSA
keys generated in the bad two year window. Both DSA and RSA from that
time frame are equally predictable.

> >> I've heard rumblings that DSA keys are weaker for other reasons, but
> >> I've not seen any good explanations.
> >
> > Hearsay, your honour! On the contrary, I've heard that DSA gathers at
> > 1024 bits at least as much entropy as RSA with 2048, and DSA was the
> > recommended "new" algorithm half a decade ago. Currently RSA and DSA
> > are equal up.
> 
> I take your hearsay, and counter with my hearsay that DSA will be
> replaced next year with DSA2 which can use 4 bits of entropy and be as
> secure as 4096 RSA.

Cool, then let the hearsays determine our processes.
-- 
Axel.Thimm at ATrpms.net

Attachment: pgpTQ3etyTA5q.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]