On Tue, Jul 16, 2019 at 03:06:28PM -0400, Viktor Dukhovni wrote: > On Mon, Jul 15, 2019 at 02:27:44PM +0000, Salz, Rich wrote: > > > >> DSA > > > > > > What is the cryptographic weakness of DSA that you are avoiding? > > > > It's a good question. I don't recall the specific reason why that was > > added to > > the list. Perhaps others can comment. > > > > The only weakness I know about is that if you re-use the nonce, the private > > key is leaked. It's more brittle than RSA-PKCS, but not as flawed as RC4. > > > > I think this should be removed from the "legacy" list unless someone can > > point out why it's like the others in the list. > [...] > 4. As mentioned key disclosure is more likely than with RSA.
Huh, and it looks like we don't even implement deterministic DSA (RFC 6979) which is a partial mitigation. -Ben