"J. Andres Hall" <[EMAIL PROTECTED]>:
> Please enlighten me why, in the absence of crypto, key escrow
> and/or patent restrictions, you would use DSS rather than RSA.
> Perhaps you find RSA "boring" vs. a more exciting "DSS", but
> then again I find that "boring" seems to go hand-in-hand with "trusted"...
One thing I mentioned were DHE ciphersuites (supported by the
Stronghold server, but AFAIK not yet by mod_ssl and Apache-SSL), which
have the great advantage of providing forward secrecy.
For DSS, the word "interesting" refers to various aspects:
- First of all, TLS with RSA only is known to work quite well, but
there's not much experience with RSA-free ciphersuites.
- DSS is different with respect to how server implementation errors
can lead to exploitable weaknesses.
- DSS, at least when signature parameter precomputing is used,
can speed up the TLS handshake (the exponent has 160 bits rather
than 1024 [but the CRT cannot be used], and after precomputing,
only one addition and one multiplication modulo q remain to be
done).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
