Enforcing password complexity for private keys

Mike Gerwitz mtg at gnu.org
Sat May 4 04:24:54 CEST 2019

On Fri, May 03, 2019 at 15:44:26 +0200, Werner Koch wrote:
> Use ECC keys with Yubikeys or use a Gnuk based token like the original
> Gnuk token or one from another venodor like Nitrokey.  I use a GnuK
> token with an ed25519 signing key to sign my commits.  IMHO, token based
> 4k RSA keys are too slow for regular work.

FWIW I use a 4096 bit RSA key on a Nitrokey Pro (a model that's a couple
years old) and the total time of PIN entry + signing averages
~5s.  While it is certainly a noticeable delay, I don't find it
burdensome for operations like signing mail and commits, and I'll sign
sometimes dozens of times per day, with forced pinentry.

I'm not suggesting that RSA be used instead of ECC; my token just
doesn't support it.  But newer Nitrokeys do.  I'll likely switch

Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190503/012081a6/attachment.sig>

More information about the Gnupg-users mailing list