YubiKey-Guide icon indicating copy to clipboard operation
YubiKey-Guide copied to clipboard
verified publisher icon drduh

ed25519 keys

Open kjkent opened this issue 3 years ago • 3 comments

This guide is phenomenal -- a real source of valuable, concise info.

With the introduction of ed25519 support in Yubikeys made from 2020, are there any plans to include them/replace the RSA keys in this guide? Just curious.

kjkent avatar Jul 16 '22 23:07 kjkent

I think the guide should have a section on choosing your key type rather than defaulting to ed25519. A discussion on the differences of RSA, ecdsa and ed25519 and the other variants would be beneficial to some but a right out off for many beginners.

Many people buy second hand Yubikeys (notably the Yubikey 4 and neo varieties) off eBay not knowing the difference.

RSA is the lowest common denominator (and the default for most organisations using PIV mode).

Although ed25519 had many benefits including speed, size and probably harder to crack, it is still considered NEW (“Danger Will Robinson”) as some consider it too new for any cracks to be found. I personally prefer ed25519 for most applications.

There is also the other issue of the real world not really keeping up with the technology. Routers often aren’t replaced for several years (sometimes even decades on government networks) and many of those are stuck with either RSA or DSA. The same goes for older servers stuck on old OS versions because “the application breaks if we upgrade the OS”

The choice of RSA is a safe choice for beginners. But once they know a little more about cryptography and how it is used and more importantly what is supported in the users organisation then we should encourage them to consider better cryptography if feasible.

On 17 Jul 2022, at 00:06, Kristopher James Kent @.***> wrote:

 This guide is phenomenal -- a real source of valuable, concise info.

With the introduction of ed25519 support in Yubikeys made from 2020, are there any plans to include them/replace the RSA keys in this guide? Just curious.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

iandstanley avatar Jul 17 '22 18:07 iandstanley

Great points!

Edit: Always a fan of a Lost In Space reference. ;)

kjkent avatar Jul 18 '22 00:07 kjkent

I think at a minimum it would be good to mention it as an option. The yubikey docs link here and i had to go looking to find out if it's supported. Many people probably aren't up to date with all the product releases.

xaocon avatar Aug 04 '22 19:08 xaocon

Until there's a known problem with RSA, I see no need for changes. Certainly PRs are welcome to educate readers on the general crypto primitives and differences between algorithms.

drduh avatar Dec 26 '22 19:12 drduh