Discussion:
DSA2 key support
(too old to reply)
Dennis K
2010-05-25 09:14:01 UTC
Permalink
Hello all,

I've got a question regarding which signing key I should choose.

As I understand it, 1024 bit DSA keys are no longer recommended, which
leaves two options. Larger RSA keys or DSA2 keys. I've read stuff
about DSA2 being new and not yet widely supported, but that material is
from 2006. I've also read that RSA is not necessarily required to be
supported by an OpenPGP implementation.

My question basically is, is using a DSA2 signing key going to cause
compatibility problems, or is it pretty much universally supported now.

Also, should I just keep using my existing DSA 1024 bit key and enable
DSA2 within GnuPG as I'm doing now, or is it much better to generate a
new one.

I would like to use DSA2, but am worried about compatibility issues.
Are these concerns valid any more?

Thanks,
Dennis
Anonymous
2010-05-25 12:22:24 UTC
Permalink
Post by Dennis K
My question basically is, is using a DSA2 signing key going to cause
compatibility problems, or is it pretty much universally supported now.
It's going to cause compatability problems for years.

Don't use it except in special cases where your recipient is known to
support it.
Post by Dennis K
I would like to use DSA2, but am worried about compatibility issues.
Are these concerns valid any more?
Yes. Just use large RSA keys.
Dennis K
2010-05-25 14:14:40 UTC
Permalink
Post by Anonymous
Post by Dennis K
My question basically is, is using a DSA2 signing key going to cause
compatibility problems, or is it pretty much universally supported now.
It's going to cause compatability problems for years.
Don't use it except in special cases where your recipient is known to
support it.
Post by Dennis K
I would like to use DSA2, but am worried about compatibility issues.
Are these concerns valid any more?
Yes. Just use large RSA keys.
OK. Thats a shame, as I prefer DSA2 for signing, as it leaves a smaller
signature. I'm quite surprised its still an issue. Surely all PGP
implementations have supported it for a couple of years now?

All my recipients that I know of so far are using GnuPG, which supports
DSA2 as of version 1.4.4 I think. But apart from them, I didn't want
others to have trouble.
Nomen Nescio
2010-05-25 18:07:29 UTC
Permalink
Post by Dennis K
All my recipients that I know of so far are using GnuPG, which supports
DSA2 as of version 1.4.4 I think. But apart from them, I didn't want
others to have trouble.
I don't believe gnupg supports DSA2 as a default even now, and I don't
think it could be from early as 1.4.4 but you should ask in the gnupg list
if nobody has information here.
Dennis K
2010-05-26 08:14:07 UTC
Permalink
Post by Nomen Nescio
Post by Dennis K
All my recipients that I know of so far are using GnuPG, which supports
DSA2 as of version 1.4.4 I think. But apart from them, I didn't want
others to have trouble.
I don't believe gnupg supports DSA2 as a default even now, and I don't
think it could be from early as 1.4.4 but you should ask in the gnupg list
if nobody has information here.
Not as a default, but with the enable-dsa2 option you can use
(truncated) SHA256 hashes with 1024 bit DSA keys. This probably is good
enough, but I'm not sure. People are moving away but its hard to
ascertain whether they're moving away for rational reasons.

Loading...