On Wed, 21 May 2008, Chris Ball wrote: > Hi, > > > So DSA is a no-go from now until the end of time? > > I'm open to debate on that, though many systems have made that decision; > debian.org and freedesktop.org are no longer allowing DSA logins, for > example. (I'm curious to hear reasons for wanting to use DSA keys, > now that the RSA patents have expired.)
one reason would be that DSA is more secure then RSA. If you have a copy of the secret key from one end of the conversation and they are using RSA you can decrypt the communication, with DSA you cannot do so. There are several products on the market that take advantage of this fact and have you load your keys on a seperate box that then intercepts the communication to your webservers and decrypts the traffic (either inline or from a tap). With these products you have to configure your webservers to refuse DSA and only do RSA becouse with DSA they cannot decrypt the traffic. David Lang > > By the way, will remaining and new RSA keys be tested for bad > > randomness? > > Yes. We have the openssh-blacklist package installed, which contains > keyhashes of all possible weak keys and disallows logins using them. > > - Chris. > _______________________________________________ Devel mailing list [email protected] http://lists.laptop.org/listinfo/devel
