3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-30 17:37:25 +02:00
Code Issues Projects Releases Packages Wiki Activity

config: remove support for ed25519 signing keys (#2430)

Browse source
This commit is contained in:
Caleb Doxsey 2021-08-04 09:30:47 -06:00 committed by GitHub
parent c0f9de2a46
commit cc9962cca6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 11 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

4
docs/reference/readme.md
View file

@ -1680,12 +1680,12 @@ If no certificate is specified, one will be generated and the base64'd public ke
- Environmental Variable: `SIGNING_KEY_ALGORITHM`
- Config File Key: `signing_key_algorithm`
- Type: `string`
- Options: `ES256` or `EdDSA` or `RS256`
- Options: `ES256` or `RS256`
- Default: `ES256`
This setting specifies which signing algorithm to use when signing the upstream attestation JWT. Cryptographic algorithm choice is subtle, and beyond the scope of this document, but we suggest sticking to the default `ES256` unless you have a good reason to use something else.
Be aware that any RSA based signature method may be an order of magnitude lower than [elliptic curve] variants like EdDSA (`ed25519`) and ECDSA (`ES256`). For more information, checkout [this article](https://www.scottbrady91.com/JOSE/JWTs-Which-Signing-Algorithm-Should-I-Use).
Be aware that any RSA based signature method may be an order of magnitude lower than [elliptic curve] variants like ECDSA (`ES256`). For more information, checkout [this article](https://www.scottbrady91.com/JOSE/JWTs-Which-Signing-Algorithm-Should-I-Use).
[base64 encoded]: https://en.wikipedia.org/wiki/Base64

4
docs/reference/settings.yaml
View file

@ -1825,11 +1825,11 @@ settings:
- Environmental Variable: `SIGNING_KEY_ALGORITHM`
- Config File Key: `signing_key_algorithm`
- Type: `string`
- Options: `ES256` or `EdDSA` or `RS256`
- Options: `ES256` or `RS256`
- Default: `ES256`
doc: |
This setting specifies which signing algorithm to use when signing the upstream attestation JWT. Cryptographic algorithm choice is subtle, and beyond the scope of this document, but we suggest sticking to the default `ES256` unless you have a good reason to use something else.
Be aware that any RSA based signature method may be an order of magnitude lower than [elliptic curve] variants like EdDSA (`ed25519`) and ECDSA (`ES256`). For more information, checkout [this article](https://www.scottbrady91.com/JOSE/JWTs-Which-Signing-Algorithm-Should-I-Use).
Be aware that any RSA based signature method may be an order of magnitude lower than [elliptic curve] variants like ECDSA (`ES256`). For more information, checkout [this article](https://www.scottbrady91.com/JOSE/JWTs-Which-Signing-Algorithm-Should-I-Use).
shortdoc: |
Signing Key Algorithm is the algorithm used to sign a user's attestation JWT.