Open pki-bot opened 4 years ago
Comment from mharmsen (@mharmsen) at 2017-06-01 16:32:34
Metadata Update from @mharmsen:
Comment from ftweedal (@frasertweedale) at 2017-06-01 20:14:03
From my reading, id-ecPublicKey
means "can be used with any algorithm" where as the others constrain usage to a particular key agreement algorithm.
Is there a legitimate business need for this? I would question whether there is, because Key Usage and EKU constrain how the key can be used anyway. I don't know if anyone is concerned about exactly what key agreement gets used; many programs will let you configure that separate anyway e.g. via cipher suites.
Anyhow, if we do implement it, it would have to be configured in the profile somehow.
Comment from mharmsen (@mharmsen) at 2017-07-05 17:33:51
[20170705] - In speaking with cfu, we believe that this ticket can be moved to 10.5
Comment from mharmsen (@mharmsen) at 2017-07-05 17:33:51
Metadata Update from @mharmsen:
Comment from mharmsen (@mharmsen) at 2017-09-02 10:37:09
Metadata Update from @mharmsen:
Comment from mharmsen (@mharmsen) at 2018-04-16 20:50:08
Per 10.5.x/10.6 Triage: FUTURE
This issue was migrated from Pagure Issue #2718. Originally filed by mharmsen (@mharmsen) on 2017-06-01 16:28:06:
While testing BZ https://bugzilla.redhat.com/show_bug.cgi?id=1222557, I have few questions about selecting algorithms.
RFC for ECC (https://www.ietf.org/rfc/rfc5480.txt) talks about two more algorithms that may be supported which are "id-ecDH" and "id-ecMQV" algorithms. When we sign an ECC certificate request using dogtag it always gives " id-ecPublicKey " in Public Key Algorithm under Subject Public Key Info. I have not seen other two algorithm's.
I am not sure how we decide upon algorithms and how and when to use which one.