On Sun, Aug 24, 2008 at 09:34:36AM -0600, Stephen John Smoogen wrote: > >> > * ssh_key: Error - Not a valid RSA SSH key: ssh-dss ... > >> > > >> > Have DSA keys now been banned? > >> > >> Yes. > >> > >> > Why? > >> > >> The primary reason is that it's nearly impossible to tell if the key > >> was generated on a Debian system with the compromised OpenSSL > >> versions. > > > > That's overreacting. What happens if Gentoo makes a similar mistake > > with RSA keys, will we ban them, too? DSA is a decent technology. > > No because RSA doesn't leak information into your public key nor does > it rely on the 'random' secret key to the same extent. Th Your mixing different issues: What you are referring to is using a good DSA key from a bad host. The context above was about the DSA/RSA keys generated in the bad two year window. Both DSA and RSA from that time frame are equally predictable. > >> I've heard rumblings that DSA keys are weaker for other reasons, but > >> I've not seen any good explanations. > > > > Hearsay, your honour! On the contrary, I've heard that DSA gathers at > > 1024 bits at least as much entropy as RSA with 2048, and DSA was the > > recommended "new" algorithm half a decade ago. Currently RSA and DSA > > are equal up. > > I take your hearsay, and counter with my hearsay that DSA will be > replaced next year with DSA2 which can use 4 bits of entropy and be as > secure as 4096 RSA. Cool, then let the hearsays determine our processes. -- Axel.Thimm at ATrpms.net
Attachment:
pgp0KYa6sU1qk.pgp
Description: PGP signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
