Re: [TLS] Certificate keyUsage enforcement question (new in RFC8446 Appendix E.8)

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

[ Quoted text slightly reordered to put the RSA issue first, as that's
  the main thing I'm trying to get clarity on, and enabling keyUsage
  enforcement is causing some interoperability issues now... ]

> On Nov 5, 2018, at 11:11 PM, Geoffrey Keating <geoffk@geoffk.org> wrote:
> 
>> TL;DR:  Should TLS client abort DHE-RSA handshakes with a peer
>> certificate that *only* lists:
>> 
>>            X509v3 Key Usage: 
>>                Key Encipherment, Data Encipherment
> 
> Yes, because in DHE-RSA, the RSA key is used for signing, and this is
> an encryption-only key.
> 

> As far as I know there's no similar attack on RSA, but I think this is
> not a well-examined area.

Since the vast majority of certificates in the wild are RSA, and
interoperability is a concern, I'd really like to better understand
what risk if any posed if one allows a an *RSA* key with a keyUsage
of "keyEncipherment" (seen on some live servers that then do DHE-RSA)
to be used for "DigitalSignature"?  I am only aware of risks in the
converse direction.  How unreasonable would it be to be more forgiving
and allow *RSA* "DigitalSignature" when the keyUsage indicates otherwise?

> It's much more important in the DHE-ECDSA case, because using an
> encryption-only EC key for signing can lead to key compromise (IIRC).

Does anyone have pointers to references for that?  FWIW, I've never seen an
encryption-only (ECIES?) ECDSA key, I guess could be intended for CMS...
In TLSA there's no ECDS keyEncipherment, only ECDHE and fixed ECDH (obsolete).
The first goes with a keyUsage of DigitalSignature, the second with keyAgreement.

Knowing how fragile ECDSA tends to be to key recovery on nonce re-use
or similar issues, I have no reservations enforcing keyUsage for ECDSA.

-- 
	Viktor.