On Wed, Sep 13, 2017 at 12:27:53PM -0500, Nicholas Geovanis wrote:
Just thinking out loud for those who won't read that article: One of its main points is not that DSA is cryptographically weak, as has been broadly mentioned. Rather that a coding flaw in ssh-keygen limits the key-size for DSA to 1024 because the developers did not track the evolving FIPS standards.
And DSA is extremely sensitive to good random numbers, which are fairly hard to guarantee. And 1024 bit DSA is definitely too small, but larger DSA keys won't work on existing SSH implementations--from a practical standpoint, there aren't openssh servers which will take a larger, secure DSA key but won't take some other kind of key. Since there isn't a compelling reason to use DSA instead of an already-supported algorithm+keylength, why bother rolling out a change to the DSA keys? In general the security community has found that it's better to have a smaller number of well chosen options than a lot of options with little to distinguish them--when faced with too many choices, people tend to pick the wrong one. And as a bonus, elliptic curve keys are a lot smaller and a lot easier to copy & paste than humongous DSA keys.
Mike Stone