On Thu, Oct 15, 2009 at 12:39 AM, Jack Lloyd <ll...@randombit.net> wrote: > On Wed, Oct 14, 2009 at 10:43:48PM -0400, Jerry Leichter wrote: >> If the constraints elsewhere in the system limit the number of bits of >> signature you can transfer, you're stuck. Presumably over time you'd >> want to go to a more bit-efficient signature scheme, perhaps using >> ECC. > > Even plain DSA would be much more space efficient on the signature > side - a DSA key with p=2048 bits, q=256 bits is much stronger than a > 1024 bit RSA key, and the signatures would be half the size. And NIST > allows (2048,224) DSA parameters as well, if saving an extra 8 bytes > is really that important. > > Given that they are attempted to optimize for minimal packet size, the > choice of RSA for signatures actually seems quite bizarre.

DSA can be used in DNSSEC - unfortunately it is optional, though. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com