FAQ: Technical Questions & Answers
What's wrong with DSA?
It is a state-sponsored standard
State sponsored standards are high risk. They are usually crippled so the state can crack them. We know that the US government has been spending more than $250 million per year to sabotage crypto (see New York Times, ProPublica, and Guardian articles). This results in nonsense, such as "Simply put --- larger key sizes --- more risk of compromise."
One of the earliest specifications for DSA required that keys be "exactly 1024 bits". The ssh-keygen man page still says this is still a requirement, even though some later specs were supposed to supersede the limit.
It is a very serious concern any time someone arbitrarily restricts key size. There are too many ways (think rainbow tables) that shortened keys can be compromised. It is reasonable to be deeply concerned about any standards from the same source.
RSA is a tested and trusted alternative to DSA. Why trust an algorithm that was sabotaged, from an organization that is known to be working against secure encryption?