On Mon, December 22, 2014 3:16 pm, Peter Gutmann wrote: > Ryan Sleevi <ryan-mozdevsecpol...@sleevi.com> writes: > > >DSA certificates are complicated due to parameter inheritance through the > >chain - which few get right, but which add ambiguity for path building > > and > >processing. DSA certificates cannot be used for certificate pinning in > > some > >cases because of this inherent ambiguity ( > >https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21#section-2.4 > > ) > > This is a bit of a red herring since nothing [0] actually uses this, at > least > one reason being that it allows signature forgery if you do. So saying > "we > don't do DSA because no-one cares about it" is OK, but saying "we don't do > it > because of a feature that cryptographers threw in just because they could > but > that no-one uses" isn't really accurate.
Um, no? The point is that it has - by design - a dangerous feature that doesn't exist with other signature schemes. That this design exists and is mandated is part of the complexity - either no one implements it (and for sure, Microsoft's stack _does_ implement it, and NSS _tries_ implement it), and which point, you don't have DSA but some DSA-prime - or it's implemented (and it is) and presents a security risk. > > >DSA suffers from sudden death entropy failures ( > >https://www.imperialviolet.org/2013/06/15/suddendeathentropy.html ) that > > can > >be quite fatal, and isn't justified by its benefits (compared with ECDSA) > > Funny you should mention ECDSA there, since it suffers from the exact same > sudden-death entropy failure problem as DSA (they both have "DSA" in their > name for a reason). > > So: stick with "we don't do DSA because no-one cares" as your reason :-). Perhaps it wasn't unambiguously clear in my message, but the post I linked to specifically discusses this and I acknowledge as much in my message. However, the benefit of ECDSA (smaller signatures, smaller keys for equivalent security) offers a compelling reason, and RFC 6979 exists as a mitigation. The argument here is not "we don't do DSA because no-one cares", but "we don't do DSA because the risks are high and there are no benefits relative to those risks" _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy