=== lukedashjr is now known as luke-jr | ||
gevreeen | could we use ed25519 keys now on launchpad? | 08:50 |
---|---|---|
gevreeen | (and staging?) | 08:54 |
gevreeen | also, does launchpad plans to offer ed25519 host keys, sarnold? | 09:08 |
gevreeen | to be added here > https://help.launchpad.net/SSHFingerprints only rsa shown | 09:08 |
cjwatson | gevreeen: sarnold isn't on the Launchpad team. Yes, you can use Ed25519 keys. No immediate plans to offer Ed25519 host keys - that's relatively minor by comparison with sorting out user keys | 10:55 |
cjwatson | And RSA isn't broken if you're using it with SHA-2 signatures, so it isn't a pressing security concern | 10:56 |
cjwatson | (don't get me wrong, sarnold is very helpful, it's just not fair to ask him about plans that he can't really be in a position to know) | 10:57 |
gevreeen | ah, it was him last time who promised oncoming ed25519 support while denying such to ed448. sorry for bothering both of you on the matter | 11:29 |
cjwatson | I think he was just relaying stuff I'd said | 12:19 |
cjwatson | I don't mind being bothered about it, just wanted to make sure you were bothering the right person :) | 12:20 |
gevreeen | cjwatson: I just took a look at the section of windows registry documenting my putty config, which essentially gives KEX as "ecdh,rsa,WARN,dh-gex-sha1,dh-group14-sha1,dh-group1-sha1" | 15:16 |
gevreeen | maybe I should talk to putty devs instead, but offering ed25519 (or perhaps ed448/nistp521) as a side option does help (gitlab and github already offers ed25519 hostkey) | 15:17 |
tomreyn | "WARN" is an interesting key exchange algorithm. :) | 16:14 |
gevreeen | tomreyn: anything to the right of WARN will generate a warning dialog in putty | 16:14 |
gevreeen | dare not remove then for fear of breaking the program | 16:15 |
tomreyn | i see, didn't know how putty works there. | 16:15 |
gevreeen | s/then/them/ | 16:15 |
tomreyn | I could agree that it's a bit of a problem that the only supported host keys on git.launchpad.net provide less than 128 bits of security. | 16:39 |
tomreyn | using a >= 3072-bit modulus would help there | 16:40 |
tomreyn | other than that, rsa is still fine. | 16:40 |
tomreyn | (though it's usually good to support more than a single non-weak host key type, kex algorithm, cipher and mac) | 16:42 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!