Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 08 November 2018 23:31 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7725B130DD5 for <tls@ietfa.amsl.com>; Thu, 8 Nov 2018 15:31:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oc2ZrOe1XNF for <tls@ietfa.amsl.com>; Thu, 8 Nov 2018 15:31:40 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18E33127B92 for <tls@ietf.org>; Thu, 8 Nov 2018 15:31:39 -0800 (PST)
Received: from [10.200.18.148] (unknown [38.27.161.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 5ADBC301B85 for <tls@ietf.org>; Thu, 8 Nov 2018 18:31:38 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <1541716036588.29769@cs.auckland.ac.nz>
Date: Thu, 8 Nov 2018 18:31:35 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: "<tls@ietf.org>" <tls@ietf.org>
Message-Id: <62FC16EB-9567-408E-B3A1-62B868F5A2BB@dukhovni.org>
References: <79CF87E7-E263-4457-865E-F7BE8251C506@dukhovni.org> <m236seg80v.fsf@localhost.localdomain> <DE213706-285A-4FF4-BA25-3DFC69966BE6@dukhovni.org> <m2y3a4ebau.fsf@localhost.localdomain> <FF305E4A-B304-4C72-9D70-0D65116DD8B9@dukhovni.org> <F04642CF-132E-48EF-B17F-36CC57F245FC@ll.mit.edu> <1541716036588.29769@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Q0z_48slRxun5n3660XLsIxr89Q>
Subject: Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 23:31:41 -0000

> On Nov 8, 2018, at 5:27 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> 
>> Always enforce peer certificate key usage (separation) for ECDSA. ECDSA keys
>> are more brittle when misused.
> 
> Since ECDSA can only do signing, isn't this a bit redundant?  In other words
> you can't really not enforce keyUsage for a signature-only algorithm.

Well, ECDH keys (not really ECDSA) can do key agreement, and EC keys
can be used for encryption with ECIES.  In any case, it seems that
other libraries are already requiring digitalSignature in keyUsage
(when present) for ECDSA that don't yet do so for RSA, and I'm willing
to go along with that.  Trying to make a pragmatic choice...

-- 
	Viktor.