Simon Josefsson simon@josefsson.org writes:
A private key owner should not trust someone else's copy of its own public key, should they?
I wonder how this application error could possibly happen. If you get a signing request with message and a public key (e.g., you're an implementation of ssh-agent), you would typically use the given public key to look up the corresponding private key, and refuse the request if you have no corresponding key pair on file.
Maybe, if you're an ssh-agent with only a single private key, it might be tempting to skip the lookup and just use whatever public key was provided. That would then be broken and leak the private key.
I'd leave it at documenting the last part of your suggestion here: when you generate a EdDSA key pair, you should store the public key alongside the private key, and use that copy whenever it is needed.
Note that with Nettle, ed25519 key generation is selecting a random private key, e.g., reading /dev/random, and then just calling ed25519_sha512_public_key.
Requiring the public key to be identical to ed25519_sha512_public_key() is hard for an API user without always calling that function,
I think this requirement is essential if you want the signing process to be equivalent to what's specified in RFC 8032 (where the public key *is* recomputed for each signature). And then the typical way comply would be as you descibe above: compute the public key once, and store it securely together with the private key.
Regards, /Niels