On Thu, Oct 15, 2009 at 12:39 AM, Jack Lloyd <ll...@randombit.net> wrote:
> On Wed, Oct 14, 2009 at 10:43:48PM -0400, Jerry Leichter wrote:
>> If the constraints elsewhere in the system limit the number of bits of
>> signature you can transfer, you're stuck.  Presumably over time you'd
>> want to go to a more bit-efficient signature scheme, perhaps using
>> ECC.
> Even plain DSA would be much more space efficient on the signature
> side - a DSA key with p=2048 bits, q=256 bits is much stronger than a
> 1024 bit RSA key, and the signatures would be half the size. And NIST
> allows (2048,224) DSA parameters as well, if saving an extra 8 bytes
> is really that important.
> Given that they are attempted to optimize for minimal packet size, the
> choice of RSA for signatures actually seems quite bizarre.

DSA can be used in DNSSEC - unfortunately it is optional, though.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to