[Enigmail] about creating a secure encryption

Robert J. Hansen rjh at sixdemonbag.org
Tue Jul 1 12:54:31 PDT 2008

Charly Avital wrote:
> The new key you have generated and uploaded is a 1024 bit key.
> With that kind of key you can use only SHA1.

Not true -- you could always use RIPEMD160.

And ever since the introduction of DSA2 support, you can use pretty much
any hash you want.  If it's longer than 160 bits, it will get chopped
down appropriately.

> When using a DSA key, you need it to be DSA2, where the primary key can
> be 2048 bit long, (that is quite enough), in order to be able to use
> hash SHA256.

DSA-2048 actually calls for SHA224, not SHA256.  I suppose you could use
SHA256, but you'd lose 32 bits for no reason whatsoever.

> - the work-around: add a signing only 2048 bit subkey to your current
> key. The 2048 bit subkey will have to be RSA, because of the same DSA
> limitation.

Not true.  This message is signed with a 2kbit DSA key, for instance,
and uses SHA256.

(Hmm.  Why am I using SHA256, instead of SHA224?  Probably because (a)
it doesn't matter very much and (b) I had a braino and I'm too lazy to
fix it right now.)

More information about the Enigmail mailing list