klali
commented
6 years ago The PIV part of the YubiKey can only do up to 2048, PGP part can do up to 4096 (the reason is that the PIV standard doesn't define anything but rsa 1024 and 2048).
Closed mouse07410 closed 6 years ago
klali
commented
6 years ago The PIV part of the YubiKey can only do up to 2048, PGP part can do up to 4096 (the reason is that the PIV standard doesn't define anything but rsa 1024 and 2048).
mouse07410
commented
6 years ago @klali thanks. But in that case this page https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/ is misleading - it seems to tell me that RSA4096 is unconditionally supported, and IMHO there are at least as many people who buy YubiKey 4 solely for its PIV capabilities as those who buy it for OpenPGP (and a few weirdos like myself who want both ;).
tofurky
commented
6 years ago looks like that page was updated towards the end of february. it now shows "RSA 4096 (PGP)" for that row rather than just "RSA 4096".
uschwarz
commented
6 years ago https://www.yubico.com/product/yubikey-4-series/#tab-specs still lists 4096 unconditionally. Given 2048-bit keys are sunset for 2022 (BSI recommendation for Germany), this probably kills YKs outright for our considerations.
danielweck
commented
8 months ago Yes, slightly misleading documentation unfortunately :)
My old YubiKey series 4 scanned with pkcs11-tool -M shows RSA >=2048 is supported but unfortunately not via PIV https://github.com/Yubico/yubico-piv-tool/issues/58#issuecomment-2004869442
My personal case is that I must code-sign Microsoft Windows executables with Authenticode (via signtool.exe or other utility) so my hardware token is now effectively useless, I'm using cloud signing instead.
yubico-piv-toolrefuses to either generate or import an RSA key that's longer than 2048 bits. I tried RSA 3072 and 4096 bits. It was my impression that YubiKey 4 was capable of dealing with PIV RSA keys larger than RSA2048?