| 1 |
On 07/06/2018 07:49 AM, Ulrich Mueller wrote: |
| 2 |
>>>>>> On Thu, 5 Jul 2018, Jonas Stein wrote: |
| 3 |
> |
| 4 |
>>> b. RSA, >=2048 bits (OpenPGP v4 key format or later only) |
| 5 |
>>> |
| 6 |
>>> + c. ECC curve 25519 |
| 7 |
>>> + |
| 8 |
>>> 4. Key expiry: 5 years maximum |
| 9 |
>>> 5. Upload your key to the SKS keyserver rotation before usage! |
| 10 |
> |
| 11 |
>> I think we should ensure first that everything works fine with ECC. |
| 12 |
>> Last time I checked, ECC was a nightmare. |
| 13 |
> |
| 14 |
>> Some SKS server could not handle ECC... and so on. |
| 15 |
> |
| 16 |
> IIRC, it has also been pointed out that ECC is not part of the OpenPGP |
| 17 |
> standard (yet)? |
| 18 |
> |
| 19 |
|
| 20 |
Right, the NIST curves prime curves are defined in RFC6637 but |
| 21 |
Curve25519/EdDSA is only implemented in GnuPG and part of the draft |
| 22 |
rfc4880bis (WG isn't currently active, so not expected a v5 any time soon). |
| 23 |
|
| 24 |
ECC is also only implemented in gnupg >=2.1 , so as mentioned earlier, |
| 25 |
gnupg 1.4 (which is still maintained and often used for smaller |
| 26 |
footprint or backwards compat to v3 keys) will not be able to use it. |
| 27 |
|
| 28 |
> Maybe we should better omit it. It shouldn't be too complicated for |
| 29 |
> developers to add a dedicated RSA signing key for Gentoo if necessary |
| 30 |
> (especially, since someone using ECC could be considered an advanced |
| 31 |
> GnuPG user). |
| 32 |
|
| 33 |
If the primary key is ECC, clients not supporting it won't be able to |
| 34 |
use the key material even if the signing subkey is RSA. |
| 35 |
|
| 36 |
> |
| 37 |
> Ulrich |
| 38 |
> |
| 39 |
|
| 40 |
|
| 41 |
-- |
| 42 |
Kristian Fiskerstrand |
| 43 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 44 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
Archives