[enasterosophes]

Something else that is quite nice is that you can switch to certificate auth and use your yubikey to protect an ed25519-sk certificate authority.

[stingraycharles]

How does that work, do you know a good tutorial for this?

[dnet]

I made my own CA for this because nothing else could provide transparency regarding certificate issuance (whether an attacker issued a "spare" backdoor certificate)

- source code: https://github.com/silentsignal/zsca

- my talk about the design and results: https://pretalx.hsbp.org/camppp7e5/talk/D3E9HN/

[enasterosophes]

Look for a tutorial on ssh certificate auth, and use ed25519-sk keys for the CA.

[Diti]

But PIV only supports keys up to 2048 bits. :<

[enasterosophes]

I didn't say anything about PIV. The article I was replying to is talking about sk keys, and so am I.

[endre]

this.