write in 30M

hc

2024-02-20 ea08eeccae9297f7aabd2ef7f0c2517ac4549acc

 kernel/Documentation/process/maintainer-pgp-guide.rst
..
..
@@ -238,7 +238,10 @@
238
238
     work.
239
239
 
240
240
     If for some reason you prefer to stay with RSA subkeys, just replace
241
-    "ed25519" with "rsa2048" in the above command.
241
+    "ed25519" with "rsa2048" in the above command. Additionally, if you
242
+    plan to use a hardware device that does not support ED25519 ECC
243
+    keys, like Nitrokey Pro or a Yubikey, then you should use
244
+    "nistp256" instead or "ed25519."
242
245
 
243
246
 
244
247
 Back up your master key for disaster recovery
..
..
@@ -432,23 +435,23 @@
432
435
 
433
436
 Unless all your laptops and workstations have smartcard readers, the
434
437
 easiest is to get a specialized USB device that implements smartcard
435
-functionality.  There are several options available:
438
+functionality. There are several options available:
436
439
 
437
440
 - `Nitrokey Start`_: Open hardware and Free Software, based on FSI
438
-  Japan's `Gnuk`_. Offers support for ECC keys, but fewest security
439
-  features (such as resistance to tampering or some side-channel
440
-  attacks).
441
-- `Nitrokey Pro`_: Similar to the Nitrokey Start, but more
442
-  tamper-resistant and offers more security features, but no ECC
443
-  support.
444
-- `Yubikey 4`_: proprietary hardware and software, but cheaper than
441
+  Japan's `Gnuk`_. One of the few available commercial devices that
442
+  support ED25519 ECC keys, but offer fewest security features (such as
443
+  resistance to tampering or some side-channel attacks).
444
+- `Nitrokey Pro 2`_: Similar to the Nitrokey Start, but more
445
+  tamper-resistant and offers more security features. Pro 2 supports ECC
446
+  cryptography (NISTP).
447
+- `Yubikey 5`_: proprietary hardware and software, but cheaper than
445
448
   Nitrokey Pro and comes available in the USB-C form that is more useful
446
449
   with newer laptops. Offers additional security features such as FIDO
447
-  U2F, but no ECC.
450
+  U2F, among others, and now finally supports ECC keys (NISTP).
448
451
 
449
452
 `LWN has a good review`_ of some of the above models, as well as several
450
-others. If you want to use ECC keys, your best bet among commercially
451
-available devices is the Nitrokey Start.
453
+others. Your choice will depend on cost, shipping availability in your
454
+geographical region, and open/proprietary hardware considerations.
452
455
 
453
456
 .. note::
454
457
 
..
..
@@ -457,9 +460,9 @@
457
460
     Foundation.
458
461
 
459
462
 .. _`Nitrokey Start`: https://shop.nitrokey.com/shop/product/nitrokey-start-6
460
-.. _`Nitrokey Pro`: https://shop.nitrokey.com/shop/product/nitrokey-pro-3
461
-.. _`Yubikey 4`: https://www.yubico.com/product/yubikey-4-series/
462
-.. _Gnuk: http://www.fsij.org/doc-gnuk/
463
+.. _`Nitrokey Pro 2`: https://shop.nitrokey.com/shop/product/nitrokey-pro-2-3
464
+.. _`Yubikey 5`: https://www.yubico.com/products/yubikey-5-overview/
465
+.. _Gnuk: https://www.fsij.org/doc-gnuk/
463
466
 .. _`LWN has a good review`: https://lwn.net/Articles/736231/
464
467
 .. _`qualify for a free Nitrokey Start`: https://www.kernel.org/nitrokey-digital-tokens-for-kernel-developers.html
465
468
 
..
..
@@ -943,7 +946,7 @@
943
946
 
944
947
 Next, open the `PGP pathfinder`_. In the "From" field, paste the key
945
948
 fingerprint of Linus Torvalds from the output above. In the "To" field,
946
-paste they key-id you found via ``gpg --search`` of the unknown key, and
949
+paste the key-id you found via ``gpg --search`` of the unknown key, and
947
950
 check the results:
948
951
 
949
952
 - `Finding paths to Linus`_