On Mon, Jan 04, 2010 at 10:34:14PM +0100, Lionel Elie Mamane wrote: > On Mon, Jan 04, 2010 at 08:36:32PM +0000, brian m. carlson wrote: > > (...) For maximum long-term security, I recommend a 3072-bit DSA key > > (preferably with SHA-512) or a 4096-bit RSA key. > > I seriously recommend a RSA key over a DSA key; DSA has this horrible > property that you leak bits of your private key with every signature > done on a computer with cryptographically weak random numbers source! This is true; however, most people limit their keys to machines that they physically control. For me, that's two Debian machines, and I trust that /dev/random and /dev/urandom are cryptographically secure. Also, assuming that breaking DSA requires solving the Discrete Logarithm Problem and that breaking RSA requires solving the Factoring Problem, breaking DSA is harder than breaking RSA. That is, if you solve the DLP, you can solve the FP, but not the other way around. Also, RSA has been studied more than DSA, since it's older and arguably more popular. DSA also has a limited number of valid configurations for key size (choices for p and q) and hash algorithms, according to NIST; RSA has no such restrictions. These are all things to consider. Personally, I use an RSA key, but other reasonable people could come to a different decision. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature