upstream: Expand comment to document rationale for default key

sizes. "seems worthwhile" deraadt.

OpenBSD-Commit-ID: 72e5c0983d7da1fb72f191870f36cb58263a2456

ssh-keygen.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.328 2019/03/25 15:49:00 dtucker Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.329 2019/03/25 16:19:44 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -68,8 +68,15 @@
 #endif
 
 /*
- * Default number of bits in the RSA/DSA key.  This value can be overridden
+ * Default number of bits in the RSA, DSA and ECDSA keys.  These value can be
- * on the command line.
+ * overridden on the command line.
+ *
+ * These values, with the exception of DSA, provide security equivalent to at
+ * least 128 bits of security according to NIST Special Publication 800-57:
+ * Recommendation for Key Management Part 1 rev 4 section 5.6.1.
+ * For DSA it (and FIPS-186-4 section 4.2) specifies that the only size for
+ * which a 160bit hash is acceptable is 1kbit, and since ssh-dss specifies only
+ * SHA1 we limit the DSA key size 1k bits.
  */
 #define DEFAULT_BITS		3072
 #define DEFAULT_BITS_DSA	1024