Re: [patch] ssh-keygen(1): generate Ed25519 keys when invoked without arguments

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On 04.09.23 16:43, Joseph S. Testa II wrote:
What I'm hearing in this thread is: "a minority of people on planet
Earth have a problem with the open-source implementation of ED25519,
but instead of letting that minority choose to re-implement it when/if
they want to, the rest of the community needs to stall their progress
in improving security."
I very often see IT personnel and developers simply use the default
options for ssh-keygen.  They just don't care/don't know to care.
  Switching the default to ED25519 would bring the equivalent security
up from 112-bits to 128-bits (as 2048-bit RSA is equivalent to 112-bits
of symmetric strength), which would be a nice improvement for the
community at large.

If what you want is an "improvement for the community at large", you should advocate to have a nonspecific ssh-keygen invocation generate a keypair for the *two* most useful crypto schemes. I still fondly (not!!) remember the morning we found that a certain distrib had panicked and shipped nightly updates to disable the "broken!!" (not quite yet) ECDSA scheme; I was the only sysadmin here who not only had available, but also *distributed* his RSA pubkey along with the "more modern" ECDSA one.

(Since I often stumble over systems where it's "RSA or stay out!", I currently urge people around here to use both 4+k RSA and ED25519. Few listen, alas. :-/ )

Kind regards,
Jochen Bern

Binect GmbH

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux