[Twisted-Python] Release questions

Tristan Seligmann mithrandi at mithrandi.net
Fri Apr 5 07:12:43 MDT 2013


On Fri, Apr 5, 2013 at 2:32 AM, Laurens Van Houtven <_ at lvh.cc> wrote:

> DSA, by default, used SHA-1; recent revisions support SHA-2. A few years
> ago, GnuPG and several big users including Debian and Apache started
> suggesting the move to RSA instead of DSA keys. The algorithms vary a bit
> in speed and signature size, but the main reason was to allow newer hash
> functions.
>
> That said, I'm pretty sure GPG uses a newer revision of DSA: when I left
> the defaults untouched near the end of 2012, it still seemed to prefer
> DSA/ElGamal despite the news from a few years ago. IIRC, the first version
> of the algorithm only allowed 1024 bit keys, whereas my DSA key is 3072.
>

DSA keys larger than 1024 bit(?) are "non-standard", but I think the bigger
issue is that DSA only supports 160-bit hashes; larger hashes will be
truncated, which means you don't gain much by using SHA-256/SHA-512/etc.
instead of SHA-1. DSA2 can handle larger hashes, but there's no real reason
to use DSA2 when RSA is so widespread. I think this is the reason the
defaults are changing (were changed?) in GnuPG.

I guess this is drifting off-topic though...

Here's how you check what you support and in which preference:
>

Thanks, much more useful than my vague speculation about defaults ;)
-- 
mithrandi, i Ainil en-Balandor, a faer Ambar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20130405/536fda2f/attachment.html>


More information about the Twisted-Python mailing list