The current method for picking crypto token/signing algorithm looks like this:
- Pick your signing algorithm
- Pick your crypto token from the list available according to signing algorithm
- Hope for the best
This puts the cart before the horse, as it requires an understanding of what signature methods that can be applied to a crypto token. Users get confused if they've made the wrong selection, as their crypto token doesn't even show up on the list. Especially SSH CA's are highly restricted on what signing algorithms can be used for certain keys.
- Pick the crypto token first. Next to the name should be a quick description of what's in that crypto token. The key encrypt key may not be EC, so should not even turn up as a choice. This should be explained in a permanent help text. This should in a next step be solved to that the key encrypt key can't even be created as EC on the crypto token page.
- Pick the signing algorithm, based on which are applicable to the signing key. Again, the reason why the list is pruned should be explained in a help text.