From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Konstantin Ryabitsev <mricon@kernel.org>
Cc: "Greg KH" <gregkh@linuxfoundation.org>,
"Uwe Kleine-König" <ukleinek@kernel.org>,
users@kernel.org, ksummit@lists.linux.dev
Subject: Re: Web of Trust work [Was: kernel.org tooling update]
Date: Fri, 23 Jan 2026 16:38:09 -0500 [thread overview]
Message-ID: <9a79af1ac57b49dcaeed85c365039c6566e9ddaf.camel@HansenPartnership.com> (raw)
In-Reply-To: <20260123-provocative-tungsten-curassow-cc2aac@lemur>
On Fri, 2026-01-23 at 13:23 -0500, Konstantin Ryabitsev wrote[...]
> - We're limited to PGP only, but it would be nice to also support
> something like fido2 ssh key signatures.
Just trying to understand what you mean here: the FIDO2 ssh
implementation is really nothing more than a key that provides a
signature created by the token. In fact FIDO2 keys are pretty similar
to TPM keys in that they can either be token resident or stored as
files (which are wrapped so only the token can decrypt them) and loaded
into the token for signature. Unlike a TPM, FIDO 2 is a bit more
algorithm poor (most only support P256 although some of the later
devices do 25519) but the elliptic curve algorithms they do support are
sufficient for gpg to use them. The huge downside of FIDO2 is that
unlike a TPM it can't import keys, so this means every key would be
newly created. However, it could still be used by gpg for newly
created signing and encryption subkeys (you'd have to keep your master
key as a keyfile unless you want to create a new master key).
I do know how to plumb this into gpg, because it would be the same
places at TPM support went. However, realistically, without the
ability to import existing keys, it would provide a less easy (and
likely less secure, given you need your master key to sign other keys)
experience than just using the existing gpg TPM2 support, so why not
simply use that?
Regards,
James
next prev parent reply other threads:[~2026-01-23 21:38 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-10 4:48 kernel.org tooling update Konstantin Ryabitsev
2025-12-10 8:11 ` Mauro Carvalho Chehab
2025-12-10 13:30 ` Thorsten Leemhuis
2025-12-11 3:04 ` Theodore Tso
2025-12-12 23:48 ` Stephen Hemminger
2025-12-12 23:54 ` Randy Dunlap
2025-12-16 16:21 ` Lukas Wunner
2025-12-16 20:33 ` Jeff Johnson
2025-12-17 0:47 ` Mario Limonciello
2025-12-18 13:37 ` Jani Nikula
2025-12-18 14:09 ` Mario Limonciello
2026-01-23 9:19 ` Web of Trust work [Was: kernel.org tooling update] Uwe Kleine-König
2026-01-23 9:29 ` Greg KH
2026-01-23 11:47 ` Mauro Carvalho Chehab
2026-01-23 11:58 ` Greg KH
2026-01-23 12:24 ` Mauro Carvalho Chehab
2026-01-23 12:29 ` Greg KH
2026-01-23 13:57 ` Konstantin Ryabitsev
2026-01-23 16:24 ` James Bottomley
2026-01-23 16:33 ` Greg KH
2026-01-23 16:42 ` Joe Perches
2026-01-23 17:00 ` Steven Rostedt
2026-01-23 17:23 ` James Bottomley
2026-01-23 18:23 ` Konstantin Ryabitsev
2026-01-23 21:12 ` Uwe Kleine-König
2026-01-26 16:23 ` Konstantin Ryabitsev
2026-01-26 17:32 ` Uwe Kleine-König
2026-01-26 21:01 ` Konstantin Ryabitsev
2026-01-26 23:23 ` James Bottomley
2026-01-27 8:39 ` Uwe Kleine-König
2026-01-27 21:08 ` Linus Torvalds
2026-02-04 10:49 ` Uwe Kleine-König
2026-02-05 10:14 ` James Bottomley
2026-02-05 18:07 ` Uwe Kleine-König
2026-02-05 18:23 ` Konstantin Ryabitsev
2026-01-26 23:33 ` Mauro Carvalho Chehab
2026-01-26 23:06 ` Mauro Carvalho Chehab
2026-01-23 21:38 ` James Bottomley [this message]
2026-01-23 22:55 ` Mauro Carvalho Chehab
2026-01-23 16:38 ` Konstantin Ryabitsev
2026-01-23 17:02 ` Paul Moore
2026-01-23 18:42 ` kernel.org tooling update Randy Dunlap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9a79af1ac57b49dcaeed85c365039c6566e9ddaf.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=gregkh@linuxfoundation.org \
--cc=ksummit@lists.linux.dev \
--cc=mricon@kernel.org \
--cc=ukleinek@kernel.org \
--cc=users@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox