Hi all,
Previously, in another post, I mentioned slowness using Aventra MyEID PKI cards for login, sudo etc.
I tried another solution, using EC (Elastic Curve) keys. Speed should benefit, since EC keys are much smaller, keeping the same degree of security. Shoter key = loading faster.
Hoever, I seems FreeIPA will not accept and EC key, omly RSA when trying to sing an EC CSR?
Would it be possible though to use Elastic Curve certificates?
Thanks!
Winfried
Winfried de Heiden via FreeIPA-users wrote:
Hi all,
Previously, in another post, I mentioned slowness using Aventra MyEID PKI cards for login, sudo etc.
I tried another solution, using EC (Elastic Curve) keys. Speed should benefit, since EC keys are much smaller, keeping the same degree of security. Shoter key = loading faster.
Hoever, I seems FreeIPA will not accept and EC key, omly RSA when trying to sing an EC CSR?
Would it be possible though to use Elastic Curve certificates?
ECC is not yet supported in IPA. We have an old issue, https://pagure.io/freeipa/issue/3951 , for this but it is still blocked by the things mentioned in the ticket (LWCA).
We had de-prioritized this because early thinking post-quantum was that ECC certificates would be more easily broken due to their smaller key size.
This is being re-evaluated so its possible that ECC could be supported. The when is not clear. It will take a while though.
rob
Thanks Rob,
No EC certificates for now :(
Winfried
email handtekening privé Op 18-11-2024 om 15:10 schreef Rob Crittenden via FreeIPA-users:
Winfried de Heiden via FreeIPA-users wrote:
Hi all,
Previously, in another post, I mentioned slowness using Aventra MyEID PKI cards for login, sudo etc.
I tried another solution, using EC (Elastic Curve) keys. Speed should benefit, since EC keys are much smaller, keeping the same degree of security. Shoter key = loading faster.
Hoever, I seems FreeIPA will not accept and EC key, omly RSA when trying to sing an EC CSR?
Would it be possible though to use Elastic Curve certificates?
ECC is not yet supported in IPA. We have an old issue, https://pagure.io/freeipa/issue/3951 , for this but it is still blocked by the things mentioned in the ticket (LWCA).
We had de-prioritized this because early thinking post-quantum was that ECC certificates would be more easily broken due to their smaller key size.
This is being re-evaluated so its possible that ECC could be supported. The when is not clear. It will take a while though.
rob
I think it should be possible to issue ECC certs to users - but you would need to modify the certificate profile or (more sensibly) create a separate profile that allows EC keys.
Cheers, Fraser
On Mon, Nov 18, 2024 at 03:33:01PM +0100, Winfried de Heiden via FreeIPA-users wrote:
Thanks Rob,
No EC certificates for now :(
Winfried
email handtekening privé Op 18-11-2024 om 15:10 schreef Rob Crittenden via FreeIPA-users:
Winfried de Heiden via FreeIPA-users wrote:
Hi all,
Previously, in another post, I mentioned slowness using Aventra MyEID PKI cards for login, sudo etc.
I tried another solution, using EC (Elastic Curve) keys. Speed should benefit, since EC keys are much smaller, keeping the same degree of security. Shoter key = loading faster.
Hoever, I seems FreeIPA will not accept and EC key, omly RSA when trying to sing an EC CSR?
Would it be possible though to use Elastic Curve certificates?
ECC is not yet supported in IPA. We have an old issue, https://pagure.io/freeipa/issue/3951 , for this but it is still blocked by the things mentioned in the ticket (LWCA).
We had de-prioritized this because early thinking post-quantum was that ECC certificates would be more easily broken due to their smaller key size.
This is being re-evaluated so its possible that ECC could be supported. The when is not clear. It will take a while though.
rob
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org