Date: Thu, 11 Apr 2002 23:13:49 -0400 (EDT) From: Garrett Wollman <wollman@lcs.mit.edu> To: Archie Cobbs <archie@dellroad.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/crypto/openssh servconf.c Message-ID: <200204120313.g3C3DnP83776@khavrinen.lcs.mit.edu> In-Reply-To: <200204120044.g3C0i7W08442@arch20m.dellroad.org> References: <200204112204.g3BM4eK56395@freefall.freebsd.org> <200204120044.g3C0i7W08442@arch20m.dellroad.org>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Thu, 11 Apr 2002 17:44:07 -0700 (PDT), Archie Cobbs <archie@dellroad.org> said: >> Knowledgeable persons assure me that RSA is preferable to DSA and that we >> should transition away from DSA. > We're curious.. can you share any references on this issue? I'm not DES, but I can at least make a crack at it. RSA and DSA are believed to be of comparable cryptographic strength, given the key sizes commonly used today. However, verifying a DSA signature is computationally much more expensive than verifying an RSA signature, and since the expiration of the RSA patent there's no particularly good reason to use DSA at all except for compatibility. IIRC, when the SSHv2 protocol is officially blessed by the IETF, RSA will be required and DSA will be an option. The bottom line is that DSA is more expensive but not better. If we ever get any elliptic-curve crypto algorithms we can use, this may change again. (ECC algorithms have the nice feature of depending on a different sort of mathematical problem from both RSA and DSA, and as a result can achieve comparable security with much smaller keys. Given that ECC is a relatively recent invention, I suspect the field[1] is entirely hedged about with patents.) -GAWollman [1] No pun intended. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204120313.g3C3DnP83776>