Comments (4)
mricon
commented on July 30, 2024
Yeah, I literally wrote that part of the guide several times over, and I'm still only about 51% convinced that leaving it as "all RSA" for now makes sense. There are two reasons:
- People who are most likely to read this guide may get confused when you give them too many choices -- especially if some of these choices don't work with specific hardware. So I'm trying to give a solution that is likely to work in the majority of cases.
- I recommend Yubikey-4 devices in the guide because they implement both smartcard and u2f features. Annoyingly, Nitrokey Pro doesn't do u2f, and the only common device that does ed25519 keys is the Nitrokey Start (because it's basically Gnuk).
So, just for these two reasons I'm sticking with "RSA only for now" for this iteration of the guide. If the next edition of Nitrokey Pro supports both u2f and ECC keys, then I will happily redact that part to what you suggest.
from itpol.
dd9jn
commented on July 30, 2024
1. People who are most likely to read this guide may get confused when you give them too many choices -- especially if some of these choices don't work with specific hardware. So I'm trying to give a solution that is likely to work in the majority of cases.
That make sense.
2. I recommend Yubikey-4 devices in the guide because they implement
both smartcard and u2f features. Annoyingly, Nitrokey Pro doesn't do
u2f, and the only common device that does ed25519 keys is the Nitrokey
Start (because it's basically Gnuk).
There is a lot of progress in the token domain; so things may look
different in a year. I see the reason for u2f and it would be
interesting to see whether we can implement this in gnuk as well.
While I am at it. The TOFU implementation is still pretty new and has
not seen a lot of real life tests. But someone needs to start using it
so that we can fix the bugs.
Thanks for writing this guide
Salam-Shalom,
Werner
…--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
from itpol.
5bentz
commented on July 30, 2024
Last July, I created an ed25519 PGP pubkey, thinking it should be widely adopted as future-default.
Sadly, since Android-Password-Store (https://github.com/zeapo/Android-Password-Store) does not support ed25519 yet, I am now considering moving back from ed25519 to RSA :/
So, as far as I'm concerned, I would still recommend RSA despite its drawbacks!
Thanks for this very useful guide
5bentz
from itpol.
tmzullinger
commented on July 30, 2024
I think this can be closed now? In bc0503d (Update the code integrity guide for 2021, 2021-05-13), the recommendation for subkeys was changed to an ECC algorithm. The certification key is still RSA,
from itpol.
Related Issues (18)
- Additional Resources / References Section
- Encrypting /boot is in fact feasible HOT 2
- Provision intel AMT by default HOT 3
- Misleading passage about LUKS HOT 1
- Remove use of Ghostery because it is proprietary and could contain secret security issues HOT 2
- Suggestion: Mention expected errors from "cp -rp ~/.gnupg [/media/disk/name]/gnupg-backup" HOT 1
- default bit size for master key HOT 2
- Please give concrete examples of threat Git without GPG HOT 4
- gpg: error reading key: No public key HOT 4
- Git Commit Hashes
- linux-workstation-security.md needs an update review
- Document steps to create subkey for a new machine
- Coreboot is missing as alternate firmware option. HOT 3
- Can you clarify the choice of RSA for `cert` and ECC for `sign,encr,auth` ? HOT 1
- Apple instructions link for encrypting storage device is broken
- CIS Benchmark Inclusion HOT 1
- Ad Blocking for browsers HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from itpol.