Selecting algorithms in ECC - Githubissues

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.

https://www.dogtagpki.org

GNU General Public License v2.0

365 stars 135 forks source link

Selecting algorithms in ECC #2838

Open pki-bot opened 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #2718. Originally filed by mharmsen (@mharmsen) on 2017-06-01 16:28:06:

Assigned to cfu (@cfu)
Associated bugzillas
- https://bugzilla.redhat.com/show_bug.cgi?id=1456851

While testing BZ https://bugzilla.redhat.com/show_bug.cgi?id=1222557, I have few questions about selecting algorithms.

RFC for ECC (https://www.ietf.org/rfc/rfc5480.txt) talks about two more algorithms that may be supported which are "id-ecDH" and "id-ecMQV" algorithms. When we sign an ECC certificate request using dogtag it always gives " id-ecPublicKey " in Public Key Algorithm under Subject Public Key Info. I have not seen other two algorithm's.

I am not sure how we decide upon algorithms and how and when to use which one.

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-06-01 16:32:34

Metadata Update from @mharmsen:

Custom field component adjusted to General
Custom field feature adjusted to ''
Custom field origin adjusted to Community
Custom field proposedmilestone adjusted to ''
Custom field proposedpriority adjusted to ''
Custom field reviewer adjusted to ''
Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1456851
Custom field type adjusted to defect
Custom field version adjusted to ''
Issue assigned to cfu
Issue priority set to: critical

pki-bot commented 4 years ago

Comment from ftweedal (@frasertweedale) at 2017-06-01 20:14:03

From my reading, id-ecPublicKey means "can be used with any algorithm" where as the others constrain usage to a particular key agreement algorithm.

Is there a legitimate business need for this? I would question whether there is, because Key Usage and EKU constrain how the key can be used anyway. I don't know if anyone is concerned about exactly what key agreement gets used; many programs will let you configure that separate anyway e.g. via cipher suites.

Anyhow, if we do implement it, it would have to be configured in the profile somehow.

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-07-05 17:33:51

[20170705] - In speaking with cfu, we believe that this ticket can be moved to 10.5

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-07-05 17:33:51

Metadata Update from @mharmsen:

Issue set to the milestone: 10.5 (was: 10.4)

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2017-09-02 10:37:09

Metadata Update from @mharmsen:

Issue set to the milestone: FUTURE (was: 10.5)

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2018-04-16 20:50:08

Per 10.5.x/10.6 Triage: FUTURE