[Twisted-Python] Release questions

Laurens Van Houtven _ at lvh.cc
Fri Apr 5 10:47:23 EDT 2013 

On Fri, Apr 5, 2013 at 3:12 PM, Tristan Seligmann
<mithrandi at mithrandi.net>wrote:

> DSA keys larger than 1024 bit(?) are "non-standard", but I think the
> bigger issue is that DSA only supports 160-bit hashes; larger hashes will
> be truncated, which means you don't gain much by using SHA-256/SHA-512/etc.
> instead of SHA-1. DSA2 can handle larger hashes, but there's no real reason
> to use DSA2 when RSA is so widespread. I think this is the reason the
> defaults are changing (were changed?) in GnuPG.
>

As far as I can tell, the defaults are currently beyond plain old DSA. It
appears this support has been in GnuPG since 2006 and in PGP since at least
then, I would guess that it's been commonly available since 2008 or so. I'm
not sure *why* it's DSA now, but I'm hoping the GPG people had good reasons
:) (I'm guessing it's "adoption was sufficient that by the time we
considered changing the default the reasons were no longer valid")

For DSA, GPG selects the first hash algorithm in your digest preference
list that is of size >= q. q is the hash size for your DSA key, which is
hardcoded into the key. The defaults in GPG are:

q = 160 for 1024 bit keys (i.e. plain old DSA)
q = 224 for 1024 to 2048 bit keys
q = 256 bit for 2048 to 3072 bit keys

You can use gpg --list-packets to view this, but the output is a little
obscure. It's easier to use pgpdump, which, for my key produces (truncated
output):

====
Public Key Packet(tag 6)(1198 bytes)
Ver 4 - new
Public key creation time - Sun Oct 14 13:56:19 UTC 2012
Pub alg - DSA Digital Signature Algorithm(pub 17)
DSA p(3072 bits) - ...
DSA q(256 bits) - ...
DSA g(3068 bits) - ...
DSA y(3071 bits) - ...
====

The important bit is the q value: 256. Combined with my digest algorithm
preferences, that means I'll get SHA-256 (first hash of sufficient size),
not truncated (since 256 == 256 ;)).

I guess this is drifting off-topic though...
>

Sure thing :D I wasn't trying to argue for any particular algorithm, but
simply that:

- if you have a recent key of maximum allowable size for whatever the
default was on your system, you're probably fine
- signing a bunch of SHA sums is fine, provided it's SHA-256 or better,
preferably SHA-512 (SHA-3 wouldn't be wrong, but isn't commonly supported
yet, and SHA-2 has withstood attempts to break it so far better than anyone
anticipated, so we're good).

cheers
lvh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-python/attachments/20130405/f7f52209/attachment.htm

More information about the Twisted-Python mailing list