Do we really want to have the legacy provider as opt-in only?

Fri Jul 19 23:39:11 UTC 2019

On Tue, Jul 16, 2019 at 03:06:28PM -0400, Viktor Dukhovni wrote:
> On Mon, Jul 15, 2019 at 02:27:44PM +0000, Salz, Rich wrote:
> 
> >     >>    DSA
> >     > 
> >     > What is the cryptographic weakness of DSA that you are avoiding?
> >     
> >     It's a good question. I don't recall the specific reason why that was added to
> >     the list. Perhaps others can comment.
> > 
> > The only weakness I know about is that if you re-use the nonce, the private
> > key is leaked. It's more brittle than RSA-PKCS, but not as flawed as RC4.
> > 
> > I think this should be removed from the "legacy" list unless someone can point out why it's like the others in the list.
> 
[...]
>     4.  As mentioned key disclosure is more likely than with RSA.

Huh, and it looks like we don't even implement deterministic DSA (RFC
6979) which is a partial mitigation.

-Ben