[openssl-users] DSA with OpenSSL-1.1

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Hanno Böck
> Sent: Friday, July 01, 2016 08:40
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] DSA with OpenSSL-1.1
> 
> I can't answer your question, but I have one to you: Why do you use DSA?
> 
> There was a discussion in the TLS working group a while ago about DSA
> support and there was overwhelming support to remove it in TLS 1.3.
> The rationale was basically that DSA in TLS is rarely used at all, is
> often used with insecure key sizes (1024 bit) and has a severe weakness
> when it comes to bad random numbers. On top of that it has basically no
> advantage over the much more widely used RSA. The original reason
> (in the early 90s) to use DSA over RSA were patent issues, but those are
> long expired.
> 
> So my (and I think most others) impression is that DSA in TLS is as
> dead as it can be and probably the most sane move for OpenSSL would be
> to just remove it. Given that I'd like to know why you seem to have
> chosen to still use DSA.

We have US Federal customers who require DSA. They have existing DSA certificates, their certificate process generates DSA certificates, and they're not showing any inclination to change, regardless of what crypto experts think.

Of course, this being the US Federal Government, it's entirely possible that tomorrow someone will issue a directive forbidding further use of DSA. But then it's also very likely that any such directive would be delayed for years. The wheels of US government cryptography grind slowly.

In short: Removing support for DSA in OpenSSL would prevent some of our products from updating to 1.1.x for a significant length of time, probably years.

-- 
Michael Wojcik
Technology Specialist, Micro Focus