Thanks Rob,
No EC certificates for now :(
Winfried
email handtekening privé Op 18-11-2024 om 15:10 schreef Rob Crittenden via FreeIPA-users:
Winfried de Heiden via FreeIPA-users wrote:
Hi all,
Previously, in another post, I mentioned slowness using Aventra MyEID PKI cards for login, sudo etc.
I tried another solution, using EC (Elastic Curve) keys. Speed should benefit, since EC keys are much smaller, keeping the same degree of security. Shoter key = loading faster.
Hoever, I seems FreeIPA will not accept and EC key, omly RSA when trying to sing an EC CSR?
Would it be possible though to use Elastic Curve certificates?
ECC is not yet supported in IPA. We have an old issue, https://pagure.io/freeipa/issue/3951 , for this but it is still blocked by the things mentioned in the ticket (LWCA).
We had de-prioritized this because early thinking post-quantum was that ECC certificates would be more easily broken due to their smaller key size.
This is being re-evaluated so its possible that ECC could be supported. The when is not clear. It will take a while though.
rob