Signing algorithm

[PeterEbraert]

In the guidelines on the certificate governance (section 4.1.1), it is stated that Elliptic Curve "SHOULD BE" used. It is stated that RSA-PSS "SHOULD NOT" be used. At the moment, our PKI does not support either algorithm. We do support RSA-PKCS#1. Can we use RSA-PKCS#1 for the DSC-certificate? It is not explicitely stated for the DSC-certificate. For the other certificates (upload, TLS, DSCA) it is stated that you can use RSA-PKCS#1. Is it also allowed for the DSC-certificate?

Can the DSC-certificate contain an extended key usage "1.3.6.1.5.5.7.3.2" (clientAuth)?

[psavva]

Maybe this helps you Peter? https://github.com/eu-digital-green-certificates/dgc-participating-countries/blob/main/gateway/CertificatePreperation.md#rsa-public-key-certificates

Best Regards Panayiotis Savva

[FayR-DTSEC]

Dear Peter,

maybe I can provide some more insights.

It seems that you confuse the algorithm that the Document Signer (the entity that holds the document signer certificate (DSC)) uses to sign the digital green certificate with the algorithm that the CSCA uses to sign the DSC certificate. It is recommended that the Document Signer uses ECDSA, hence he should hold a public key certificate that contains an EC public key. However, this certificate can be signed with RSA PKCS#1 v1.5 padding.

The certificateGovernance contains requirements for the DSC signature algorithm in Section 4.1 pointing to the Technical Specifications for Digital Green Certificates Volume 1 - Section 3.3.2. This document states that the Document Signer MUST use either ECDSA or RSA-PSS for his digital signatures.

The algorithm that the CSCA uses to sign the DSC certificate depends on the key of the CSCA and can be independent from the DSC signature algorithm.

[PeterEbraert]

Thanks for the response. So now

• Our CSCA is signed itself with RSA-PKCS#1.
• we generated a DSC that was itself signed by that the private key of the CSCA (using RSA-PKCS#1).
• We generated a DGC and used the DSC to sign it using RSA-PKCS#1
• We validated that QR code of the above DGC (after trusting the DSC public). It worked

Just to confirm, 2 questions:

• Can we continue working like that?
• In case we must sign our QR codes with an Elliptic Curve signing also: I am afraid that we would need a DSC that is itself signed with Elliptic Curve, or its there no transitional requirement to do so?

[FayR-DTSEC]

Dear Peter,

please be aware that there are two signature schemes defined in RSA PKCS#1 with different padding. The first one is the legacy padding, often called RSA PKCS#1 v1.5 (often used to sign public key certificates). The RSA signature scheme that is called RSA-PSS (or RSASSA-PSS for RSA Signature Scheme with Appendix Probabilistic Signature Scheme) was defined in PKCS#1 >= v2. The most recent version of PKCS#1 is v2.2 and it can be found in RFC8017.

The digital signature that you apply at your Document Signer with COSE should be PS256 in case of RSA, which is RSASSA-PSS as of RFC 8230 (this was defined in Technical Specifications for Digital Green Certificates Volume 1 - Section 3.3.2.). In case you use PS256 (aka RSA-PSS) you should not use keys > 3000 Bit due to the space limitations of the QR code.

Hope this helps.

Best regards

Robin

[PeterEbraert]

Thanks for the responses. Clear now. Two more querstions:

• According documentation, path length constraints of the CSCA certificate is required to be 0. Our CA does not specify the path length constraint. Is that going to be blocking us?
• Can the DSC-certificate contain an extended key usage "1.3.6.1.5.5.7.3.2" (clientAuth)?

[daniel-eder]

I believe the signing algorithm is now clarified, if new questions arise please open a new issue