-
-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Support Ed25519 keys in setup #26
base: main
Are you sure you want to change the base?
Conversation
This would be awesome! It will need to be autodetected though, we should not ask the user to pick. What's the server-side compatibility situation for ed25519 keys? |
RHEL 7, Debian Jessie and GitHub support them, need to go pretty far back (RHEL 6, Debian Wheezy), to lack server support (Jan 2014, https://www.openssh.com/txt/release-6.5). We're likely the only pseudo-PIV to support them though, as SP 800-78-4 doesn't include them. Given that, I see it as an experimental feature that merits a flag? I don't know of any way to autodetect except trying to generate a 25519, on failure attempt a p256. Would that work? That would put the majority of existing keys (all Yubico) on unhappy path though. If we do first-25519-then-256, would it make sense to add a |
Hmm, you can't issue a Version command or anything like that? I am really reticent to add flags, but first-25519-then-256 does seem too aggressive. If you could find a way to cleanly check, I'd prefer that (and no need for a flag to downgrade), otherwise for now the Please rebase now that the piv-go patch landed. |
I believe Ed25519 support for Yubikey devices landed in firmware 5.2.3 and above, here are the details, so a firmware version check is likely the cleanest way to default to Ed25519 else 256. Thoughts? |
Scratch the above, Ed25519 support has only been added for the OpenPGP applet, not for the PIV applet. I confirmed in a personal branch that a YubiKey with firmware This is confirmed by a comment in piv-go that it is currently only supported by SoloKeys devices and by the output of
|
I rebased, I hope go.sum is not a mess now. To give some context on the flag and YubiKeys:
So on the one hand I'd understand if you prefer not to merge this (although, why not ^^), on the other, for the above reasons I really think it should be an experimental flag and not an official feature. If and when a community rally succeeds (perhaps even getting Yubico on board?), the algorithm discovery and a possibly amended What do you think? |
Congrats on the launch of the Solo V2! I've been thinking about this a bit, and even if it's experimental it's in real hardware, and it's not going away from keys that have it, and keys are tied to the hardware anyway, so I am comfortable autodetecting it without any flag. If you can give me a way to reliably detect supported SoloKeys, happy to switch them to Ed25519 setup by default. |
Any movement on this? I would really like this feature. (Pretty please, with a 🍒 on top!) |
I'm coordinating with other projects (PivApplet @arekinath, OpenFIPS201 @makinako) on which That would entail a change in piv-go first, and then an update here. I propose waiting on some kind of consensus in the "open source PIV world" on the alg choices to avoid back and forth. |
Still blocked on cat-wrangling? |
Thoughts on this? Would adjust dependency if/when go-piv/piv-go#69 is accepted.