From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id F10371386F3 for ; Thu, 13 Aug 2015 07:02:51 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B86A3141A2; Thu, 13 Aug 2015 07:02:44 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6546BE0851 for ; Thu, 13 Aug 2015 07:02:43 +0000 (UTC) Received: from [10.144.0.7] (host-37-191-220-247.lynet.no [37.191.220.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: k_f) by smtp.gentoo.org (Postfix) with ESMTPSA id 082CC340813 for ; Thu, 13 Aug 2015 07:02:41 +0000 (UTC) Subject: Re: [gentoo-dev] [PATCH] document openssh-7.0 dsa key change #557388 References: <1439435840-23541-1-git-send-email-vapier@gentoo.org> To: gentoo-dev@lists.gentoo.org From: Kristian Fiskerstrand Message-ID: <55CC40A5.3070504@gentoo.org> Date: Thu, 13 Aug 2015 09:00:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <1439435840-23541-1-git-send-email-vapier@gentoo.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 70665b5b-82a5-4db0-b82d-b7af08a8983e X-Archives-Hash: bea287d58df1df4a233a5162183fd8b0 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, might be nitpick, but.. On 08/13/2015 05:17 AM, Mike Frysinger wrote: > +Your best option is to generate new keys using newer types such as > rsa +or ecdsa or ed25519. RSA keys will give you the greatest > portability +with other clients/servers while ed25519 will get you > the best security +with OpenSSH (but requires recent versions of > client & server). Strictly speaking DSA/DSS is newer than RSA (FIPS-186-1 came in early 90's, RSA around since 70s, although the ElGamal signature scheme was around before that). ECC gives a better performance on the same security level when comparing to DSA/RSA, however claiming better security in general isn't necessarily valid, Ed25519 is a signature scheme over Curve25519 which is a 256 bit curve generally considered to be 128 bit security level, roughly comparable to a 3072 bit RSA key. (as a side note, it seems OpenSSH was not updated for FIPS-186-3 that adds other key lengths to DSA, but refers to DSA to mean FIPS-186-2) - -- Kristian Fiskerstrand Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJVzEChAAoJECULev7WN52F9RgH/2ogCdlZv+RoY7fwaTrviyFK oAzDRubkCPuIFAuERgqpkPlnu692tnNXXtJ6w4krSpg4lFSeh7KPPYM/C9dA++V4 7/oyCuOiQ6pxcQlHa1dTpCQjdWAOE5SL0os4Fy81hVGAvZgPGubRQSelBe9UUE4U tP7Z+5FW/bnX91K0OZEl75qoKvLT4xqhWNUiLG3V1aUCN+DC7ZaSJkoC27vd+l+b iqetcOzudojT4DyltO+dIkzQeSlaMF6qZnmq+MJU5m9b8U9ACw30YalD8awumN21 6cK0nOOxQI4M0VRLjl+9xMLrYnuQbeJnN3JBZpKnTcZ5S3hs0DPfhvTcAv0pyaw= =LHJd -----END PGP SIGNATURE-----