Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change default keygen key type #760

Open
wants to merge 3 commits into
base: latestw_all
Choose a base branch
from
Open

change default keygen key type #760

wants to merge 3 commits into from
+12 −0

Conversation

tgauth
Copy link
Collaborator

@tgauth tgauth commented Nov 5, 2024

PR Summary

  • change default key type to ecdsa

@panekj
Copy link

panekj commented Nov 6, 2024

What is the reason to downgrade from better key type to the NIST one, especially since ECDSA isn't popular choice at all?

@tgauth tgauth requested a review from TravisEz13 November 12, 2024 19:07
@tgauth
Copy link
Collaborator Author

tgauth commented Nov 15, 2024

What is the reason to downgrade from better key type to the NIST one, especially since ECDSA isn't popular choice at all?

OpenSSH's ed25519 is currently hardcoded to OpenSSH's implementation, rather than being routed to OpenSSL, making it much harder to FIPS certify.
As far as CNSA (https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF) is concerned, the recent update of default key from RSA 3072 to ed25519 was a downgrade, and the equivalent ECC-based signature should be at least ECDSA P-384.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TravisEz13 TravisEz13 Awaiting requested review from TravisEz13

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tgauth @panekj