Please restore ssh-dsa (was: cvs: Permission denied (publickey).)
Axel Thimm
Axel.Thimm at ATrpms.net
Sun Aug 24 15:43:14 UTC 2008
On Sun, Aug 24, 2008 at 09:34:36AM -0600, Stephen John Smoogen wrote:
> >> > * ssh_key: Error - Not a valid RSA SSH key: ssh-dss ...
> >> >
> >> > Have DSA keys now been banned?
> >>
> >> Yes.
> >>
> >> > Why?
> >>
> >> The primary reason is that it's nearly impossible to tell if the key
> >> was generated on a Debian system with the compromised OpenSSL
> >> versions.
> >
> > That's overreacting. What happens if Gentoo makes a similar mistake
> > with RSA keys, will we ban them, too? DSA is a decent technology.
>
> No because RSA doesn't leak information into your public key nor does
> it rely on the 'random' secret key to the same extent. Th
Your mixing different issues: What you are referring to is using a
good DSA key from a bad host. The context above was about the DSA/RSA
keys generated in the bad two year window. Both DSA and RSA from that
time frame are equally predictable.
> >> I've heard rumblings that DSA keys are weaker for other reasons, but
> >> I've not seen any good explanations.
> >
> > Hearsay, your honour! On the contrary, I've heard that DSA gathers at
> > 1024 bits at least as much entropy as RSA with 2048, and DSA was the
> > recommended "new" algorithm half a decade ago. Currently RSA and DSA
> > are equal up.
>
> I take your hearsay, and counter with my hearsay that DSA will be
> replaced next year with DSA2 which can use 4 bits of entropy and be as
> secure as 4096 RSA.
Cool, then let the hearsays determine our processes.
--
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080824/338ec2dc/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list