DSA default algorithm for keytool -genkeypair. Bad choice?

Weijun Wang weijun.wang at oracle.com
Wed Oct 10 14:42:06 UTC 2018



> On Oct 10, 2018, at 7:59 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
> 
> There is really no other reason other than DSA keys have been the default keypairs generated by keytool for a long time, so there are some compatibility issues we would have to think through before changing it to another algorithm such as RSA. Weijun might have more insight into that.

Not really. It was the default before I join Sun Microsystems many many years ago. Maybe it was a NIST standard?

As for compatibility, as long as someone is still using DSA then they might not be specifying the -keyalg option.

If not DSA, should RSA be the new default? Or maybe RSASSA-PSS (I wonder if RSASSA-PSS signature can always use legacy RSA keys) or EC? We don't have an option to specify ECCurve in keytool yet (a string -keysize).

--Max





More information about the security-dev mailing list