"best" ed25519/curve25519 setup?

Simon Josefsson simon at josefsson.org
Tue Jan 23 09:01:25 CET 2018 

Guilhem Moulin <guilhem at fripost.org> writes:

> Hi Simon,
>
> On Mon, 01 Jan 2018 at 14:28:34 +0100, Simon Josefsson wrote:
>> I want to use ed25519/curve25519, but right now I have an offline
>> master RSA key with three subkeys.  Does it work well to add new
>> subkeys for Ed25519/Curve25519?  What is the user experience in
>> various applications?  I'm thinking MUAs, SSH, git, gpg itself, and
>> also more exotic approaches like K9Mail.
>
> AFAICT multiple Ed25519/Curve25519 subkeys work fine, with the following
> caveats:
>
>   * You'll want to sign with both your Ed25519 and non-ECC (sub-)keys,
>     otherwise non-ECC capable OpenPGP implementations won't be able to
>     verify your data signatures.  You can do this by adding
>
>         local-user $FINGERPRINT!
>     
>     for each (sub)key to sign with (note the trailing exclamation mark
>     to specify the subkey).

Have you noticed any problem with this approach?  I could imagine some
software might be equally confused by two signatures, or become confused
that GnuPG "under the hood" adds another signature.

>   * You'll want to create your Curve25519 encryption subkey *after* the
>     non-ECC one, as `gpg --encrypt --recipient $KEYID` only uses the
>     most recent valid encryption-capable subkey, I think.  So if you
>     have an older non-ECC encryption subkey, older gpg(1) will encrypt
>     to it while ≥2.1 will use the Curve25519 encryption subkey.

That is an important aspect, thank you!

>> The alternative for me of course is to create a brand new key, with an
>> offline Ed25519 master key, plus some subkeys.  Has anyone done this,
>> and can share their experience?
>
> IMHO it's too early to use an Ed25519 master key in production, because
> there are still a lot of legacy systems out there and that will make the
> whole key unusable for encryption and verification.  It's fine to start
> bring such key to KSPs to improve its reputation and have a less painful
> key rollover later, though :-)

I already have a good RSA-based master key setup:

  RSA offline master key
     RSA subkey for signature
     RSA subkey for decryption
     RSA subkey for authentication

So I'm thinking that my new setup should be 25519-based.

Would you want to use separate Curve25519 keys for authentication and
signatures?

So I guess the "perfect" setup for me would then be to add the following
new key:

  Ed25519 offline master key
     Ed25519 subkey for signature
     Curve25519 subkey for authentication
     Curve25519 subkey for decryption

?

I could adopt the middle way and continue to use my current RSA-based
key and a new Ed25519-based key, and have both algorithms available as
subkeys.

  RSA offline master key
     RSA subkey for signature
     RSA subkey for decryption
     RSA subkey for authentication
     Ed25519 subkey for signature
     Curve25519 subkey for authentication
     Curve25519 subkey for decryption

  Ed25519 offline master key
     RSA subkey for signature
     RSA subkey for decryption
     RSA subkey for authentication
     Ed25519 subkey for signature
     Curve25519 subkey for authentication
     Curve25519 subkey for decryption

I wonder if I should re-use the RSA subkeys from my current key into the
new one...  I suppose for SSH it would be useful, but for anything
OpenPGP-related it should be based on the master key id, right?

Algorithm migration is really tricky...

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180123/fd7610f2/attachment.sig>

More information about the Gnupg-users mailing list