🍾 I released the corresponding #Java bindings for #WinSparkle 0.9.0. WinSparkle now supports #EdDSA #signatures! This is a long-awaited change, as DSA signatures are considered deprecated. #Java22
https://central.sonatype.com/search?q=winsparkle-java&smo=true&namespace=org.purejava
thought it might be nice to sign #sphinx releases with #minisign and #ssh #eddsa keys, straight outta sphinx. minisign #privkeys are okish (they do need 40 B of entropy, 8 extra for a "keyid"). but did you know, that in ssh the public key is stored 3x in the ed25519 private #key? one time i can understand (could be 0 though), but 3 times? what have they been drinking? #fileformats
@xtexChooser There is an article on djb how to construct #EdDSA. It may help you understand why it's that shape.
https://blog.cr.yp.to/20140323-ecdsa.html
Network Security Services (#NSS) 3.99 was tagged and released on
15th March 2024.
Among others,
- Bug 1325335 - Adding #EdDSA implementation.
https://bugzilla.mozilla.org/show_bug.cgi?id=1325335
Big thanks to Anna Weine (nkulatova) for working on this!
@todd_a_jacobs@ruby.social @letsencrypt To clarify, there are some 3rd party apps that are outdated or non-FOSS SMTP/IMAP clients, but nothing that really handles @GnuPG directly on either #iOS or #iPadOS. On the other hand, S/MIME is widely supported but less safe since it's not stored on a tamper-resistant and removable smart card, but at least it would integrate with Apple Mail and others.
It's the fact that getting an S/MIME certificate that is signed by a widely-used certificate authority is more costly than it's worth. I'd really prefer to use #GnuPG with either attestation credentials or an #EDDSA signing key on an external token like a #Yubikey
I can't be the only person who's wondered about this, but I can't find a lot of how-tos about this particular use case. Whether S/MIME or PGP/MIME, how are you supposed to integrate the on-token certificate? If that's a no-op because of Apple's walled garden, then where are people getting their S/MIME-specific certificates without having to ask recipients to trust self-signed keys?
Y qué loco, ahora hablando sobre #EdDSA, un algoritmo que recomendé hace poco para la generación de claves asimétricas en SSH.
No lo vieron? 👇 👇 👇
https://youtu.be/qgtuWWd35mY
#infosec #vulnerability
#Buffer_overflow in #SHA3 #SHAKE #Keccak and #XKCP #hash functions. Some versions of #EdDSA are impacted too 😟
Having issues with GitHub atm, account flagged, but I jotted down the commands to create a secure #EdDSA #PGP key. It requires #Ed25519 for cert, sign, and auth keys and #Curve25519 for encryption.
Strictly speaking you don’t require the auth key for your use case, it’s mostly useful only for SSH.
But this is the correct way to create a secure EdDSA key.
It’s also of note that it is the default setup for latest Kleopatra.
Here’s the link, feel free to drop it in the thread for further discussion:
https://telegra.ph/Best-practice-for-generating-a-secure-PGP-key-EdDSA-11-25
RFC 8410: Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure
Ce #RFC spécifie l'utilisation des #courbesElliptiques #Curve25519 et Curve448 dans PKIX, c'est-à-dire dans les certificats utilisés notamment pour TLS. Il réserve des identifiants pour les algorithmes, comme Ed25519.
That's a fantastic crypto library that I can use: it has generate_keys(), sign(), verify(). No deps. No configuration.
Je dois générer une clé ssh pour une nouvelle machine.
La dernière fois j'ai fait :
$ ssh-keygen -t rsa -b 8192
Mais il me semble qu'il est plutôt conseillé d'utiliser des clés ed25519 (implémentation de EdDSA si j'ai bien suivi).
On peut générer simplement avec un :
$ ssh-keygen -t ed25519
Et on aura ce qu'il se fait de mieux en matière de sécurité à ce niveau là ?
(ping @aeris ?)
Edward Curves are not without defaults...
https://research.kudelskisecurity.com/2017/10/04/defeating-eddsa-with-faults/
