"best" ed25519/curve25519 setup?

Guilhem Moulin guilhem at fripost.org
Mon Jan 1 19:33:31 CET 2018 

Hi Simon,

On Mon, 01 Jan 2018 at 14:28:34 +0100, Simon Josefsson wrote:
> I want to use ed25519/curve25519, but right now I have an offline
> master RSA key with three subkeys.  Does it work well to add new
> subkeys for Ed25519/Curve25519?  What is the user experience in
> various applications?  I'm thinking MUAs, SSH, git, gpg itself, and
> also more exotic approaches like K9Mail.

AFAICT multiple Ed25519/Curve25519 subkeys work fine, with the following
caveats:

  * You'll want to sign with both your Ed25519 and non-ECC (sub-)keys,
    otherwise non-ECC capable OpenPGP implementations won't be able to
    verify your data signatures.  You can do this by adding

        local-user $FINGERPRINT!
    
    for each (sub)key to sign with (note the trailing exclamation mark
    to specify the subkey).

  * You'll want to create your Curve25519 encryption subkey *after* the
    non-ECC one, as `gpg --encrypt --recipient $KEYID` only uses the
    most recent valid encryption-capable subkey, I think.  So if you
    have an older non-ECC encryption subkey, older gpg(1) will encrypt
    to it while ≥2.1 will use the Curve25519 encryption subkey.

  * You can use multiple authentication subkeys with gpg-agent's SSH
    agent emulation, but `gpg --export-ssh-key $KEYID` currently only
    exports the most recent authentication (sub)key, so you'll need to
    generate the relevant authorized_keys(5) for OpenSSH as follows:

       gpg --with-colons --list-key $FINGERPRINT \
       | sed -nr 's/^[ps]ub:[^deir:]*(:[^:]*){2}:([0-9a-fA-F]+)(:[^:]*){7}a.*/\2/p' \
       | xargs -I{} gpg --export-ssh-key {}\!

    (note the trailing exclamation mark to specify the subkey).  Recent
    OpenSSH's PubkeyAcceptedKeyTypes default value contain “ssh-ed25519,
    ssh-rsa” in that order so the Ed25519 (sub)key will be tried first.
    Older OpenSSH — that don't support Ed25519 — will fallback to the
    RSA (sub)key.

> The alternative for me of course is to create a brand new key, with an
> offline Ed25519 master key, plus some subkeys.  Has anyone done this,
> and can share their experience?

IMHO it's too early to use an Ed25519 master key in production, because
there are still a lot of legacy systems out there and that will make the
whole key unusable for encryption and verification.  It's fine to start
bring such key to KSPs to improve its reputation and have a less painful
key rollover later, though :-)

Cheers,
-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180101/c6d62ba8/attachment.sig>

More information about the Gnupg-users mailing list