<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Apr 5, 2013 at 3:12 PM, Tristan Seligmann <span dir="ltr"><<a href="mailto:mithrandi@mithrandi.net" target="_blank">mithrandi@mithrandi.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div></div><div>DSA keys larger than 1024 bit(?) are "non-standard", but I think the bigger issue is that DSA only supports 160-bit hashes; larger hashes will be truncated, which means you don't gain much by using SHA-256/SHA-512/etc. instead of SHA-1. DSA2 can handle larger hashes, but there's no real reason to use DSA2 when RSA is so widespread. I think this is the reason the defaults are changing (were changed?) in GnuPG.<br>
</div></div></div></div></blockquote><div><br></div><div>As far as I can tell, the defaults are currently beyond plain old DSA. It appears this support has been in GnuPG since 2006 and in PGP since at least then, I would guess that it's been commonly available since 2008 or so. I'm not sure *why* it's DSA now, but I'm hoping the GPG people had good reasons :) (I'm guessing it's "adoption was sufficient that by the time we considered changing the default the reasons were no longer valid")<br>
<br></div><div>For DSA, GPG selects the first hash algorithm in your digest preference list that is of size >= q. q is the hash size for your DSA key, which is hardcoded into the key. The defaults in GPG are:<br><br></div>
<div>q = 160 for 1024 bit keys (i.e. plain old DSA)<br></div><div>q = 224 for 1024 to 2048 bit keys<br></div><div>q = 256 bit for 2048 to 3072 bit keys<br><br>You can use gpg --list-packets to view this, but the output is a little obscure. It's easier to use pgpdump, which, for my key produces (truncated output):<br>
<br>====<br>Public Key Packet(tag 6)(1198 bytes)<br>Ver 4 - new<br>Public key creation time - Sun Oct 14 13:56:19 UTC 2012<br>Pub alg - DSA Digital Signature Algorithm(pub 17)<br>DSA p(3072 bits) - ...<br>DSA q(256 bits) - ...<br>
DSA g(3068 bits) - ...<br>DSA y(3071 bits) - ...<br>====<br></div><div><br></div><div>The important bit is the q value: 256. Combined with my digest algorithm preferences, that means I'll get SHA-256 (first hash of sufficient size), not truncated (since 256 == 256 ;)).<br>
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra">
<div class="gmail_quote"><div>I guess this is drifting off-topic though...<br></div></div></div></div></blockquote><div><br></div><div>Sure thing :D I wasn't trying to argue for any particular algorithm, but simply that:<br>
<br>
</div><div>- if you have a recent key of maximum allowable size for whatever the default was on your system, you're probably fine<br></div><div>- signing a bunch of SHA sums is fine, provided it's SHA-256 or better, preferably SHA-512 (SHA-3 wouldn't be wrong, but isn't commonly supported yet, and SHA-2 has withstood attempts to break it so far better than anyone anticipated, so we're good).<br>
</div><div><br></div><div>cheers<br>lvh<br></div></div></div></div>