[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Please restore ssh-dsa (was: cvs: Permission denied (publickey).)



2008/8/24 Axel Thimm <Axel Thimm atrpms net>:
> On Sun, Aug 24, 2008 at 09:34:36AM -0600, Stephen John Smoogen wrote:
>> >> >    * ssh_key: Error - Not a valid RSA SSH key: ssh-dss ...
>> >> >
>> >> > Have DSA keys now been banned?
>> >>
>> >> Yes.
>> >>
>> >> > Why?
>> >>
>> >> The primary reason is that it's nearly impossible to tell if the key
>> >> was generated on a Debian system with the compromised OpenSSL
>> >> versions.
>> >
>> > That's overreacting. What happens if Gentoo makes a similar mistake
>> > with RSA keys, will we ban them, too? DSA is a decent technology.
>>
>> No because RSA doesn't leak information into your public key nor does
>> it rely on the 'random' secret key to the same extent. Th
>
> Your mixing different issues: What you are referring to is using a
> good DSA key from a bad host. The context above was about the DSA/RSA
> keys generated in the bad two year window. Both DSA and RSA from that
> time frame are equally predictable.

You wanted to know about other weaknesses in the DSA string. I wrote
it in the wrong spot. In the end, it is easier to audit bad RSA over
DSA and having one set to look for in case of another bad OpenSSL is
easier on the volunteer admins to deal with.

>> >> I've heard rumblings that DSA keys are weaker for other reasons, but
>> >> I've not seen any good explanations.
>> >
>> > Hearsay, your honour! On the contrary, I've heard that DSA gathers at
>> > 1024 bits at least as much entropy as RSA with 2048, and DSA was the
>> > recommended "new" algorithm half a decade ago. Currently RSA and DSA
>> > are equal up.
>>
>> I take your hearsay, and counter with my hearsay that DSA will be
>> replaced next year with DSA2 which can use 4 bits of entropy and be as
>> secure as 4096 RSA.
>
> Cool, then let the hearsays determine our processes.

Ok lets turn off the sarcasm.. I am sorry I started it.



-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]