On Wed, Nov 26, 2025 at 10:34 AM Werner Stolz <[email protected]> wrote: > > Yes, I am aware that we should not be using DSS keys. We must use them to > accommodate some of our data partners.
In case the folks you are working with were not aware... Digital Signature Standard (DSS) approves three algorithms for signing. The first is old RSA. The original DSS proposal did not include RSA. RSA Data Security, Inc did a lot of lobbying to get RSA included in the DSS. The second is DSA. This is a signing scheme over integers. DSA is what most people think of when someone says signing with DSS. This is the algorithm to avoid. FIPS 186-5 (from 2023) removed DSA, so partners cannot use FIPS as a crutch. The third is ECDSA. This is a signing scheme over elliptic curves. This is the algorithm from DSS that you want partners to use. > Your link show exactly what we have been doing when we drive the SFTP command > line tool for file transfers, but I was under the impression that > using the “-k” / “—insecure” option for curl does the same thing. > > Historically, it has, with our previous version of curl, but somehow it is > broken with this version. Jeff -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
