Hi Simon, On Mon, 01 Jan 2018 at 14:28:34 +0100, Simon Josefsson wrote: > I want to use ed25519/curve25519, but right now I have an offline > master RSA key with three subkeys. Does it work well to add new > subkeys for Ed25519/Curve25519? What is the user experience in > various applications? I'm thinking MUAs, SSH, git, gpg itself, and > also more exotic approaches like K9Mail.
AFAICT multiple Ed25519/Curve25519 subkeys work fine, with the following
caveats:
* You'll want to sign with both your Ed25519 and non-ECC (sub-)keys,
otherwise non-ECC capable OpenPGP implementations won't be able to
verify your data signatures. You can do this by adding
local-user $FINGERPRINT!
for each (sub)key to sign with (note the trailing exclamation mark
to specify the subkey).
* You'll want to create your Curve25519 encryption subkey *after* the
non-ECC one, as `gpg --encrypt --recipient $KEYID` only uses the
most recent valid encryption-capable subkey, I think. So if you
have an older non-ECC encryption subkey, older gpg(1) will encrypt
to it while ≥2.1 will use the Curve25519 encryption subkey.
* You can use multiple authentication subkeys with gpg-agent's SSH
agent emulation, but `gpg --export-ssh-key $KEYID` currently only
exports the most recent authentication (sub)key, so you'll need to
generate the relevant authorized_keys(5) for OpenSSH as follows:
gpg --with-colons --list-key $FINGERPRINT \
| sed -nr
's/^[ps]ub:[^deir:]*(:[^:]*){2}:([0-9a-fA-F]+)(:[^:]*){7}a.*/\2/p' \
| xargs -I{} gpg --export-ssh-key {}\!
(note the trailing exclamation mark to specify the subkey). Recent
OpenSSH's PubkeyAcceptedKeyTypes default value contain “ssh-ed25519,
ssh-rsa” in that order so the Ed25519 (sub)key will be tried first.
Older OpenSSH — that don't support Ed25519 — will fallback to the
RSA (sub)key.
> The alternative for me of course is to create a brand new key, with an
> offline Ed25519 master key, plus some subkeys. Has anyone done this,
> and can share their experience?
IMHO it's too early to use an Ed25519 master key in production, because
there are still a lot of legacy systems out there and that will make the
whole key unusable for encryption and verification. It's fine to start
bring such key to KSPs to improve its reputation and have a less painful
key rollover later, though :-)
Cheers,
--
Guilhem.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
