1 |
On 07/06/2018 07:49 AM, Ulrich Mueller wrote: |
2 |
>>>>>> On Thu, 5 Jul 2018, Jonas Stein wrote: |
3 |
> |
4 |
>>> b. RSA, >=2048 bits (OpenPGP v4 key format or later only) |
5 |
>>> |
6 |
>>> + c. ECC curve 25519 |
7 |
>>> + |
8 |
>>> 4. Key expiry: 5 years maximum |
9 |
>>> 5. Upload your key to the SKS keyserver rotation before usage! |
10 |
> |
11 |
>> I think we should ensure first that everything works fine with ECC. |
12 |
>> Last time I checked, ECC was a nightmare. |
13 |
> |
14 |
>> Some SKS server could not handle ECC... and so on. |
15 |
> |
16 |
> IIRC, it has also been pointed out that ECC is not part of the OpenPGP |
17 |
> standard (yet)? |
18 |
> |
19 |
|
20 |
Right, the NIST curves prime curves are defined in RFC6637 but |
21 |
Curve25519/EdDSA is only implemented in GnuPG and part of the draft |
22 |
rfc4880bis (WG isn't currently active, so not expected a v5 any time soon). |
23 |
|
24 |
ECC is also only implemented in gnupg >=2.1 , so as mentioned earlier, |
25 |
gnupg 1.4 (which is still maintained and often used for smaller |
26 |
footprint or backwards compat to v3 keys) will not be able to use it. |
27 |
|
28 |
> Maybe we should better omit it. It shouldn't be too complicated for |
29 |
> developers to add a dedicated RSA signing key for Gentoo if necessary |
30 |
> (especially, since someone using ECC could be considered an advanced |
31 |
> GnuPG user). |
32 |
|
33 |
If the primary key is ECC, clients not supporting it won't be able to |
34 |
use the key material even if the signing subkey is RSA. |
35 |
|
36 |
> |
37 |
> Ulrich |
38 |
> |
39 |
|
40 |
|
41 |
-- |
42 |
Kristian Fiskerstrand |
43 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
44 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |