[Openswan Users] Support for DSA keys? (fwd)
Michael Richardson
mcr at sandelman.ottawa.on.ca
Tue Mar 28 21:10:54 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We do not support DSA authentication at this time.
Unless you violate the spec, or read a NIST document not yet approved,
DSA keys are limited to 1024 bits in length, and we have strongly
discouraged people from using authentication keys of so short a
length. The default RSA key length is over twice that size.
If you want them supported, you'll need to have the code contracted to
be written. If provided with proper test cases, we would accept a
patch. (Note that #public is significantly refactored in this regard)
I can see no reason for us to support DSA at this time, it doesn't buy
us anything. If ECC was without patent issues, I would rather spend
time on that rather than DSA.
Of greater concern is support for SHA256 hashes in RSA certificates and
the like. (The IKE and IPsec uses of MD5 and SHA1 are relatively immune
to the recent attacks, since they are either used in HMAC-XX mode or as a PRF)
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRCnenICLcPvd0N1lAQKptgf/YmfRnQEpAqwfkqmdT1MpFeo9KA/h9gCT
8Gd8iQriXLM8XyqRsukM3FceRlO2dZAi5iNuhLpRHoSlf+Gx22XBTPfmOB1by53Q
id2mVmFw09MzqxbJMfop3q25gDFvteSHPMAvuSvHsq9mmUfCD20KaWI+4N9oBM5g
mpC25AcQT3HCHvyQYj6ZRNAU+vWpP5DLSNHpOPhyO4BhaRm0IZE5G/FGe2S25UUE
e6EVmBXFGnZkLbmrmldOfigBUX8DG/GKgWhRga3S23jAt1mbQIUTYdpDrzfvqgcc
49f0VxZVO8VFex/euJ4EpEiAhYXfP1F5OMd+sdILoAOEr98UENSbgw==
=Xu2r
-----END PGP SIGNATURE-----
More information about the Users
mailing list