> For the ECDSA algorithm, it should be 521.<p>Not that I'm discouraging people to use stronger security, by P-256 is perfectly safe. If you can wait an extra second or two for some connect operations, use P-521 or ED25519.<p>Honestly, I wish PGP was widely accepted. My "persistent" identity has a very long key, and I create "A" (auth) keys that expire. GPG has an SSH agent it's quite beautiful. SSH keys by themselves do all of this key management and rotation by hand and I find it quite silly.
Ed25519 is defined over the 255 bit field GF(2^255-19) and thus has fixed size keys, so having key size recommendations for it is silly. (The underlying EdDSA can be generalized to other sizes).<p>256-bit ECDSA is fine, it offers the same theoretical security level as Ed25519. Its main problem is that historically implementations were fragile (relying on high quality randomness for signing) and not resistant to side-channel attacks.
i wonder what would happen if you made a site this that looked similar and asked people to upload their private ssh key to "check if it's safe". Sort of like the phishing sites that ask you to type your whole credit card number to "see if it's been compromised".<p>based on the number of people I've seen that totally don't understand the concept between the public and private portions of their key, I bet you'd collect a lot.