IETF Logo Mail Archive

Re: [pkix] In-the-wild implementations of RFC6955?

Michael StJohns <msj@nthpermutation.com> Thu, 26 May 2022 17:33 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27B9EC18D839 for <pkix@ietfa.amsl.com>; Thu, 26 May 2022 10:33:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.754
X-Spam-Level:
X-Spam-Status: No, score=-8.754 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-1.857, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EkOMBnLTSvfo for <pkix@ietfa.amsl.com>; Thu, 26 May 2022 10:33:49 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B3E8C18D836 for <pkix@ietf.org>; Thu, 26 May 2022 10:33:49 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id p123so2010290qke.5 for <pkix@ietf.org>; Thu, 26 May 2022 10:33:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20210112.gappssmtp.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=oFfVI11xC5j60aj2OfjnyLWnLhCsW+/fLVAx3FzTWQg=; b=nX+r65aCwcLWLQUOVQdxnk2cTR8qUQ9K5Ml3iLs/sDvBvJPsmw1hK/VREpk9WnCDsc /pDOGU198olCi++qGYNuPPap+qD+D4CBiPc2bofd8iSAz7E+QvC0VwuTSH0arEJYnALk 4OSlFeD+uFVIYCmfC+ddMSY1BqtrtK075MG/QbKJsCcrj+dD2KUEfLg4CaI9+A9//gyQ vv10e2GgISYVyHzWY1FxtOpqQyFMTHgm0nhqcXx6QTGAy31KwZU/qxWaruxVmZ4JPJM0 RvfnpL3hSYJds5J4EeOtJCeqGSgz3+aADAFAZy972U6HpcDKZNcNqIrPwJiy24wKYiyu Gv+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=oFfVI11xC5j60aj2OfjnyLWnLhCsW+/fLVAx3FzTWQg=; b=2aGN9bsPzd5aCPlwiX6/K7ATD8ANc+5ayAJzUlfLaIUENPLfcxUab34QG+YhOCRDfb BbWROUJyT2Ajb/lw2M4VZOTt0GRgammfm/ZRMMiswunQdgIM5RlTzz/+J2Na8r1Lk9Rv LiBVU4P0NWOUIwHIpXHee2JYdK9dSex76AXs6+/Xd1r5/ZbuOTjLxK3j/KYjSlwBv2Sl yQ3gxYSmrSWZVXRXrYzOsRglqNdUqgd01xQQn9n+Nev5omB9jGdYasI1hK8qj6SAM7dB ylbIsEyd0kejifDnmbh06fHWH9g28sAJhEOcsKmevBrGqqFF4gterbIfjqD/66Yj24GP QYuw==
X-Gm-Message-State: AOAM5314AAw0+2RHEqoHIheWcKSqj6oCCcjbxR/ICt03SVgy5isNc20r 8hEfrYhKBsmJZYOx2pa1pz8UEJgb7f22eKFu
X-Google-Smtp-Source: ABdhPJzTunCsMPiNOpj/fvxKQRbtJKSnRFWnBikfUaG0QZBJsthZMYQtcgNRVh+SjRuhDaAA7VrUgg==
X-Received: by 2002:ae9:eb14:0:b0:6a3:63cd:78b4 with SMTP id b20-20020ae9eb14000000b006a363cd78b4mr18266625qkg.22.1653586427599; Thu, 26 May 2022 10:33:47 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-51-200-187.washdc.fios.verizon.net. [108.51.200.187]) by smtp.gmail.com with ESMTPSA id a17-20020a05622a02d100b002f93e856eccsm1384685qtx.32.2022.05.26.10.33.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 26 May 2022 10:33:46 -0700 (PDT)
Message-ID: <a1d0b3c7-8721-49ac-55ac-332f6653d223@nthpermutation.com>
Date: Thu, 26 May 2022 13:33:45 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, IETF PKIX <pkix@ietf.org>
References: <61955a76-232b-81e0-9fff-afea5cd6790b@nthpermutation.com> <SY4PR01MB6251FD54A917409C51BBCBC2EED79@SY4PR01MB6251.ausprd01.prod.outlook.com> <ef9d463f-5abf-b8d8-16fa-3db7980a767e@nthpermutation.com> <SY4PR01MB6251F64ACF9D954D0D6B5CDFEED99@SY4PR01MB6251.ausprd01.prod.outlook.com>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <SY4PR01MB6251F64ACF9D954D0D6B5CDFEED99@SY4PR01MB6251.ausprd01.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/FLJxjFvDFmC0LbUOIlI39HqAkoI>
Subject: Re: [pkix] In-the-wild implementations of RFC6955?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 May 2022 17:33:51 -0000

On 5/26/2022 12:55 PM, Peter Gutmann wrote:
> Michael StJohns <msj@nthpermutation.com> writes:
>
>
>> The sample keyAgreement only CSR came in as ECDSA signed - which is both
>> pragmatic and wrong.
> It sort of makes sense though because unlike X9.42 DH keys which are marked as
> such, ECDSA keys (that is, ecPublicKey keys) are only marked as generic ECC
> keys and not ECDSA or ECDH or ECanythingelse.  So how you interpret them is up
> to the implementation, and in particular without an explicit hint via keyUsage
> you have no idea what algorithm an ECC key is actually intended to be used
> with.
Strangely, there are OIDs to mark EC keys as ec, echd and ecmqv. No one 
uses them AFAIK and I'm grateful for that after the fiasco I ran into on 
RSA keys marked for OAEP in a couple of TPM 1.2 endorsement 
certificates.     See RFC 5480, section 2.1
> Even with the hint, if there was (say) an ECElgamal and you had an ECC
> key with keyUsage = digitalSignature there'd be no way to tell whether it was
> ECDSA or ECElgamal signing.
Maybe not exactly true.  I always considered that the curve OID 
constrained the appropriate set of cryptographic functions.   For at 
least the Suite B curves. Hmm..
> In addition in order for PKCS #10 to work you have to ignore the keyUsage.  To
> see why, consider a CSR for an RSA key with keyUsage = dataEncipherment.
> Since the CSR has to be self-signed if you enforced keyUsage as written then
> the CSR would fail signature validation.  So the only way for CSR's to work in
> practice is that keyUsage is ignored.

I never actually got a response to whether or not CA's support RFC6955, 
so I'm not sure of the reality of that last statement or not.  I 
wouldn't be surprised if you're correct, or mostly correct.

That said, unless I've completely mis-read RFC6955, I can create a EC 
CSR with a keyAgreement only keyUsage and do it without using the 
proposed EC key in anything but ECDH.  It's a long-winded work around 
and mostly works the same way ECIES works, and requires the recipient of 
the CSR to have published an ECDH certificate.  It's not the more 
general "a CSR can be verified by anyone" model, but it still looks like 
a CSR.

> And that's why the de facto interpretation of ecPublicKey = ECDSA.
>
> Peter.
>
I don't know that I'll have to go down this path.. thanks for the chat! Mike

v2.23.0 | Report a Bug | By Email