[RFC] self-signed certificates for LuCI

Stijn Tintel stijn at linux-ipv6.be
Mon Aug 31 06:20:52 EDT 2020


On 30/08/2020 10:57, Paul Spooren wrote:
> The question came up if we really want RSA certificates for LuCI or if
> the faster and "more modern" ECC P-256 wouldn't be a better choice.
>
> If px5g is added to the next release, certificates are generated on
> first boot and most users are unlikely to manually recreate RSA ones,
> not?
>
> So the question, shouldn't we drop all crypto options from the new
> px5g implementation and _only_ offer P-256? Whoever wants something
> else than the default may use px5g-mbedtls or some OpenSSL based tool? 

I'm no expert, but I recently came across this article:
https://gravitational.com/blog/comparing-ssh-keys/
While it is about SSH keys, it talks mostly about algorithms used, and
the article suggests using either RSA or Ed25519, not DSA or ECDSA.
Additionally, https://safecurves.cr.yp.to/ claims neither P-256 nor
P-384 are safe.

Based on this information, I would NAK this. Unless an expert proves me
wrong.

Stijn




More information about the openwrt-devel mailing list