ed25519-sk vs. gpg-agent on Yubikey

Question

According to my understanding of this document, Yubikey is capable of running ed25519-sk and gpg-agent.

Which one is more secure? Obviously, ed25519-sk wouldn't work, if the SSH server is old, but other than that, is there any downside of using ed25519-sk vs. gpg-agent?

This seems like a similar question to this one: https://security.stackexchange.com/questions/264365/what-are-the-security-implications-of-using-gpg-instead-of-ssh-keys-for-authenti/264851#264851 — mricon, Oct 11 '22 at 19:24

Polynomial · Answer 1 · 2022-09-11T18:36:17.230

1

As of 2022, you should prefer Ed25519 wherever possible.

The only scenarios where other signature algorithms might be preferred over Ed25519 are:

You are legally or contractually prohibited from using Ed25519, e.g. for regulatory reasons (like FIPS).
The systems you need to interact with do not support Ed25519.

If you'd like a more in-depth evaluation of the options, I recommend Soatok's guide to digital signature algorithms (2020) and guidance for elliptic curve signature algorithms (2022).

edited Sep 11 '22 at 18:36

answered Sep 09 '22 at 18:58

Polynomial

133,763
43
302
380

A downvote is only useful if it comes with an explanatory comment. – Polynomial Sep 11 '22 at 18:32

ed25519-sk vs. gpg-agent on Yubikey

1 Answers1