malishav
commented
7 months ago The action item is to add a MAY on using digital signature with static DH key just for enrollment, but to keep PoP with a MAC for efficiency reasons.
Closed gselander closed 7 months ago
malishav
commented
7 months ago The action item is to add a MAY on using digital signature with static DH key just for enrollment, but to keep PoP with a MAC for efficiency reasons.
malishav
commented
7 months ago @gselander could you check if the text in #45 resolves this issue?
We describe the use of ECDH in the CSR for proving possession of the private key when enrolling a public key to be used with static ECDH based authentication. We should also state that for curves like P-256, P-384, P-521 it is allowed to prove possession by signing the CSR with the same private key:
800-56A Revision 3 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
5.6.3.2 Specific Requirements on Static Key Pairs
"A static key pair may be used in more than one key-establishment scheme. However, one static public/private key pair shall not be used for different purposes (for example, a digital-signature key pair is not to be used for key establishment or vice versa; key-usage restrictions could be enforced by a CA when generating certificates) with the following possible exception for ECC and FIPS 186-type FFC domain parameters: when requesting the (initial) certificate for a public static key- establishment key, the key-establishment private key associated with the public key may be used to sign the certificate request. See SP 800-57 on Key Usage for further information. A key-establishment key pair generated using safe-prime domain parameters shall not ever be used for the generation of a digital signature."
800-57 Part 1 Revision 5 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
5.2 Key Usage
"This Recommendation permits the use of a private key-transport or key-agreement key to generate a digital signature for the following special case:
When requesting the (initial) certificate for a static key-establishment key that was generated as specified in FIPS 186 (see SP 800-56A and SP 800-56B), the corresponding private key may be used to sign the certificate request. Refer to Section 8.1.5.1.1.2."
8.1.5.1.1.2 Submission to a Registration Authority or Certification Authority
"The (reputed) owner should provide POP by performing operations with the private key that satisfy the indicated key use. For example, if a key pair is intended for RSA digital signature generation, the CA may provide information to be signed using the owner’s private key. If the CA can correctly verify the signature using the corresponding public key, then the owner has established POP. However, when a key pair is intended to support key establishment (i.e., either key agreement or key transport), and the key pair was generated as specified in FIPS 186 (see SP 800-56A and SP 800-56B), POP may also be afforded by using the private key to digitally sign the certificate request (although this is not the preferred method). The private key-establishment key (i.e., the private key-agreement or private key-transport key) shall not be used to perform signature operations after certificate issuance.