IETF Logo Mail Archive

Re: [pkix] In-the-wild implementations of RFC6955?

Michael StJohns <msj@nthpermutation.com> Tue, 24 May 2022 16:33 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58BB6C1D3502 for <pkix@ietfa.amsl.com>; Tue, 24 May 2022 09:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.753
X-Spam-Level:
X-Spam-Status: No, score=-3.753 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.857, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51STDXBCX9zo for <pkix@ietfa.amsl.com>; Tue, 24 May 2022 09:33:31 -0700 (PDT)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AC66C1D3506 for <pkix@ietf.org>; Tue, 24 May 2022 09:33:29 -0700 (PDT)
Received: by mail-qt1-x835.google.com with SMTP id v6so12082108qtx.12 for <pkix@ietf.org>; Tue, 24 May 2022 09:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20210112.gappssmtp.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to; bh=ixFrLsie1CJg/g9GZkmv35HOY8iH8XAkZrFh7EcNJoo=; b=fubMxgpivSlL5ECpeJgqxi338YDy65bTjZcdkzgdePXDjkhxBR7jvZATZrXyhvBp0c yvciACC7CmXOHsCTjMESKdnV8PBIvIhMU/B48ImymW1h+P5QjzG0JyrvGyt2JXWt+5gl OfH8jp+OdX71o5jjHf8UEIGzIqACnZAykAE6ghlw/1nAZKhXHWmfnqTu6hQqSrvMSIWP Fx0+kZeoDLF9xizIw02m+KL2hsvrrqgj3FFvdV+HqnzfsuQFHO6Avosfc7cNfHziWSW7 NtpQiXF/WF1s1CV5D9ZbCyYXNqQhT5kcKxCiK2vNfV5kd8qLT8uH/zsqrFyt28wEUdZJ +qMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to; bh=ixFrLsie1CJg/g9GZkmv35HOY8iH8XAkZrFh7EcNJoo=; b=VgCLCS2v3Wxmro183r6maybKh4EO+jI8nT7RpJsA76quo/zHowFIFXYU/uIrnzBYlO U93pLOm/tt/wNErZSjEKuyZy7j28VFjTwjnxrUYzWv1meG5rppwveTeK6E8zvXA93rf7 OdAPrzvDk8NtSvNKo/jwoiAh+rCEI9dWnFwIAT3DygV0rcHFcZYKGNrYSltikq0MR6+z oIzH9DsynVpdb2yMBLCCb3pNcxf77fxOutivT7sSAOgsXMI5n59A3QVrjach5GGQDoUO t5gmExOYNzR13YSQjSitLsyDalTKMOyLJXXtoKCCNGk16tvh7i6m4yiErnKnsV+p5LZb Zrbw==
X-Gm-Message-State: AOAM532i7KhJDvkwaDzkPHRitM2ItEH3yayHCtEio6LkE6poYd2Xa1PX Cvr7qQrNzdJghZ1c71zRBrQRlkOepVjHv1f6
X-Google-Smtp-Source: ABdhPJwxlXvrGpAQ6lMA2loSm5CwiQctBMuDII/wNR93b/W12MP3EoMcAmsIlWAEBz7QgyjtjyBkJA==
X-Received: by 2002:a05:622a:1208:b0:2f3:efb7:53ec with SMTP id y8-20020a05622a120800b002f3efb753ecmr21350646qtx.615.1653410008348; Tue, 24 May 2022 09:33:28 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-51-200-187.washdc.fios.verizon.net. [108.51.200.187]) by smtp.gmail.com with ESMTPSA id y11-20020ac8708b000000b002f3d0e07693sm6275118qto.88.2022.05.24.09.33.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 24 May 2022 09:33:27 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------03aOeVhfWn2wPnxEUVtJVkyg"
Message-ID: <ef9d463f-5abf-b8d8-16fa-3db7980a767e@nthpermutation.com>
Date: Tue, 24 May 2022 12:33:26 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, IETF PKIX <pkix@ietf.org>
References: <61955a76-232b-81e0-9fff-afea5cd6790b@nthpermutation.com> <SY4PR01MB6251FD54A917409C51BBCBC2EED79@SY4PR01MB6251.ausprd01.prod.outlook.com>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <SY4PR01MB6251FD54A917409C51BBCBC2EED79@SY4PR01MB6251.ausprd01.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/SLO57CGJERtCip97QxHI6G_Papc>
Subject: Re: [pkix] In-the-wild implementations of RFC6955?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 16:33:35 -0000

On 5/24/2022 2:22 AM, Peter Gutmann wrote:
> Michael StJohns<msj@nthpermutation.com>  writes:
>
>> Is anyone aware of
>>
>> a)  implementation of CSR software which can generate requests for ECDH
>> certificates
> [crickets]
>
> While it's difficult to prove a negative, ECDH certs are just a rerun of DH
> certificates from 20 years ago, which were supported by exactly nobody [0], so
> I would assume it's no different for ECDH certs.
>
> In addition even if you could somehow generate an (EC)DH cert I'd be even more
> surprised if you could find anything that knew what to do with it when it saw
> it.

Well, TLS1.1 has ECDH_ECDSA and ECDH_RSA capable cipher suites and 
https://datatracker.ietf.org/doc/html/rfc4346#section-7.4.2 indicates 
that the server certificates associated with DH_DSS and DH_RSA have to 
have the keyAgreement bit set.  Strangely 
https://datatracker.ietf.org/doc/html/rfc4492#section-5.3 which is in 
the document that actually defines the ECDH_* suites doesn't mention 
setting this bit.

>From 
https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method 
I got the claim that OpenSSL required this bit to be set for ECDH_* 
suites for TLS1.2 - I may peruse the code and see if this is true.  But 
I can't find a specification document that requires this.

I *think* that the ECDH_* suites were proposed for two reasons: 1) 
symmetry with the DH_* suites. 2) Because at the time generating ECDHE 
key pairs for large numbers of incoming connections  might tax the 
ability of the web server (e.g. twice as many point multiplications plus 
a need for a fairly fast RBG). The text of RFC4492 hints at the latter:

> Here
>     again the security benefits of forward secrecy may need to be
>     balanced against the improved efficiency offered by other options.

>
> So just out of curiosity, to help understand the use case since I've never
> seen one before and it'd be interesting to hear about it, please lie on this
> couch and tell me why/how you're planning on using these things.  And
> remember, this is for posterity, so be honest — how do ECDH certs make you
> feel?

*laugh* You channeling Count Rugen from Princess Bride is somewhat scary.

As for use case, I've been trying to get the details for a few days, but 
so far haven't heard back.  I had gotten a request to help one of my 
contracts understand how to implement support for various forms of 
PKCS10 CSRs, including one with only keyAgreement as a proposed keyUsage 
extension and was a bit surprised as I'd never seen such a beast.  The 
sample keyAgreement only CSR came in as ECDSA signed - which is both 
pragmatic and wrong.

> Peter.
>
> [0] Well, a few implementations went through the motions of half-hearted token
>      support so they couldn't be accused of being non-standards-compliant, but
>      not much more than that.
>
Thanks - Mike

v2.23.0 | Report a Bug | By Email