On 07/05/2018 01:07 AM, Joshua Kinard wrote: >> @@ -64,6 +66,8 @@ not be used to commit. >> >> b. RSA, >=2048 bits (OpenPGP v4 key format or later only) >> >> + c. ECC, curve 25519 >> + >> 3. Key expiry: 5 years maximum >> >> 4. Upload your key to the SKS keyserver rotation before usage! >> > Add a minimum key size here for ECC. They have different bit sizes than > classic DSA/RSA keys. A quick read indicates that a 224-bit ECC key is > roughly > equivalent to a 112-bit symmetric key, which is what a 2048-bit RSA key is > equivalent to, so the logical minimum for ECC looks like 'nistp256'. The > maximum is 521-bits on ECC (nistp521). > > Also move the mention of Ed25519 keys to their own bullet and clarify that > they > don't allow for a key length, as I think that's hardcoded in some capacity.
following the comma-style of the rest of the document, the ECC part
should likely be read as curve25519 being the only acceptable curve,
which is 256 bits (roughtly 128 bit shannon entropy equivalent)
that said, I'm not aware of any curves defined with a lower security
margin than this for OpenPGP in general. The known curves in the
ecosystem are
let oid_to_psize oid =
let psize = match oid with
| "\x2b\x81\x04\x00\x23" -> 521 (* nistp521 *)
| "\x2b\x81\x04\x00\x22" -> 384 (* nistp384 *)
| "\x2a\x86\x48\xce\x3d\x03\x01\x07" -> 256 (* nistp256 *)
| "\x2b\x24\x03\x03\x02\x08\x01\x01\x07" -> 256 (* brainpoolP256r1 *)
| "\x2b\x24\x03\x03\x02\x08\x01\x01\x0b" -> 384 (* brainpoolP384r1 *)
| "\x2b\x24\x03\x03\x02\x08\x01\x01\x0d" -> 512 (* brainpoolP512r1 *)
| "\x2b\x81\x04\x00\x0a" -> 256 (* secp256k1 *)
| "\x2b\x06\x01\x04\x01\xda\x47\x0f\x01" -> 256 (* Ed25519 *)
| _ -> failwith "Unknown OID"
--
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature
