| ▲ | notpushkin 5 days ago | ||||||||||||||||
I know I’m asking for too much, but. The macOS app Secretive [1] stores SSH keys in the Secure Enclave. To make it work, they’ve selected an algorithm supported by the SE, namely ecdsa-sha2-nistp256. I don’t think SE supports PQ algorithms, but would it be possible to use a “hybrid key” with a combined algorithm like mlkem768×ecdsa-sha2-nistp256, in a way that the ECDSA part is performed by the SE? | |||||||||||||||||
| ▲ | cnst 5 days ago | parent | next [-] | ||||||||||||||||
The notice at stake is about key agreements (aka KEX aka Key Exchange), not about the keys themselves. If you look at http://mdoc.su/o/ssh_config.5#KexAlgorithms and http://bxr.su/o/usr.bin/ssh/kex-names.c#kexalgs, `ecdsa-sha2-nistp256` is not a valid option for the setting (although `ecdh-sha2-nistp256` is). | |||||||||||||||||
| |||||||||||||||||
| ▲ | samhclark 5 days ago | parent | prev [-] | ||||||||||||||||
To comment on the part about what keys Secretive uses, I looked at this recently and I think it looks like the SE will be able to do ML-KEM soon. https://developer.apple.com/documentation/cryptokit/secureen... Not totally sure that I'm reading it right, since I've never done MacOS development before, but I'm a big fan of Secretive and use it whenever possible. If I've got it right, maybe Secretive can add PQ support once ML-KEM is out of beta. | |||||||||||||||||