[Sugar-devel] [PATCH 2/2 sugar] Create new owner keys as RSA keys instead of DSA

Sascha Silbe sascha-ml-reply-to-2011-4 at silbe.org
Tue Nov 15 10:30:47 EST 2011


Excerpts from Samuel Greenfeld's message of 2011-11-15 15:23:58 +0100:

> Has anyone in the security field (such as Ivan Krstić) reviewed this
> proposal?  Are there any potential performance impacts by switching key
> types for slower systems such as the XO-1?

A few quick tests have shown no significant differences in ssh-keygen
runtime (if anything RSA key generation is faster). As stated before, no
other piece of code does cryptographic operations with the key, so
there's neither a performance impact nor a need for an independent
security review for the two patches. The most important cryptographic
open source tools (GnuPG, SSH, Mozilla NSS) default to using RSA keys,
so using RSA keys for future cryptographic operations in Sugar is a
reasonable choice.

I wouldn't mind if anyone asked Ivan Krstić, Bruce Perens or any other
reputable computer security expert for their opinion, of course.


> We may also want to support handling an ECDSA SSH key if we see one,
> although generating one may not always be possible (some distributions
> remove this algorithm due to patent concerns).

ECC is out of scope for this patch. The purpose is to make the key
compatible with more software, not less. ECC support in most
cryptographic toolkits ranges from experimental to non-existent.
 
Sascha

-- 
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20111115/694e8b36/attachment.pgp>


More information about the Sugar-devel mailing list