OIDs for ECDH Keys in Certificates #4750
Comments
|
Well that is unfortunate. The semantics of
What do other implementations do here? I guess we can use key usage to guide the decision, assuming only one of signatures vs key exchange is enabled; supporting this might be messy though. And if both usages are allowed
I guess we are doing this anyway, for certs that anyone else created. My thoughts at the moment
Found this OpenSSL bug which seems to indicate they'd at least consider a patch adding |
At least for OpenSSL and Bouncycastle, only one type of EC public key is used for KEX (ECDH) and signatures (ECDSA). For Botan, we could also deprecate ECDH and ECDSA keys and collect the logic for both in the EC_PublicKey/EC_PrivateKey pair with a key_agreement_op, signature_op, and a verification_op (similar to RSA). Something for Botan 4?
Agreed!
I'm also not sure. My intuition is that only a few applications need to create certificates with ECDH keys anyway. However, breaking the logic causes trouble for users only working with Botan for importing and exporting certificates. Probably, we only want to export ECDH certificates with id-ecPublicKey if the entire roundtrip works with Botan, i.e., importing the certificate can recover the ECDH key. |
Not happening.
That seems very likely to me. I've never seen one in the wild myself.
Absolutely yes. |
I wouldn't be surprised if that changed once people migrate their "authenticated key exchange"-protocols towards hybrid PQC. More people might want to go the AuthKEM route and ditch the live signature in favor of a long-lived KEM public key where authentication is achieved by a successful key confirmation. I'm leaving the question of perfect-forward secrecy aside for now.
This does sound like a hard sell to me as well. Though, one could consider introducing a notion of "allowed key usage" to the (asymmetric) key objects. For most algorithms that could be completely transparent, because they support exactly one usage type anyway. For ECC and RSA one could enforce specifying a key usage at construction (just like today for ECC via explicit derived types). Certificates could then just "project" their key restrictions onto whatever falls out of Anyway, I'm not saying that this is optimal either, just putting it up for discussion. |
|
I have seen ECDH certificates (sorry, can't post an example). |
Sure, that transition is going to happen, but hopefuly the OIDs for hybrid PQC KEMs don't make a similar mistake here, and just encode exactly what they are. Vs, oh this key? Yeah it's ECDH+ML-KEM. Or ECDSA+ML-KEM if you want it to be. 😬 |
RFC 5480, Section 2.1 defines two OIDs that can be used for EC Algorithms in certificates:
In short: id-ecPublicKey can be used with ECDSA or ECDH, while id-ecDH can only be used with ECDH. In Botan, we always use id-ecPublicKey when encoding SubjectPublicKeys with ECDSA and id-ecDH when encoding them with ECDH. Also, Botan always imports SubjectPublicKeys with OID id-ecPublicKey as ECDSA keys.
While this is standard-compliant, there is the following issue: Almost nothing out there supports the id-ecDH OID. OpenSSL and Bouncycastle do not recognize this OID. Tools like the Windows certificate view or XCA also do not recognize it. It seems there is a silent agreement to always use id-ecPublicKey for both ECDSA and ECDH.
The main problem I see is that Botan currently exports certificates with ECDH keys in a way most tools do not understand. A minor inconvenience is that Botan imports public keys from certificates always as ECDSA keys, which could be ECDH keys. What do you think?
The text was updated successfully, but these errors were encountered: