Re: [TLS] Safe ECC usage

Peter Gutmann <> Thu, 03 October 2013 12:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BA23021F9DCA for <>; Thu, 3 Oct 2013 05:25:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DPkdWdBlZzNW for <>; Thu, 3 Oct 2013 05:25:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1C02E21F9B03 for <>; Thu, 3 Oct 2013 05:23:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1380802995; x=1412338995; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=XIRYouOx0qVjM0w4viLIxvOXK77ZFpydJefwoqJLR1s=; b=oOxV6RSOtB8fOrKuD+xaNW4+rI77T/CPYtbf4DNzYOcBVyt2JG/MZ+C7 H1or29K8w4AHnpCHH/f72Y2Vza4RD0TKxMmnlepoJ6UKkf318eJNSaFXD HAVgzQJVcEJeEgcbcDh5axwAOUnwpdGeqykh3FDDhydZtlwzskwz4txO0 o=;
X-IronPort-AV: E=Sophos;i="4.90,1026,1371038400"; d="scan'208";a="215727079"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 04 Oct 2013 01:23:12 +1300
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Fri, 4 Oct 2013 01:23:12 +1300
From: Peter Gutmann <>
To: "<>" <>
Thread-Topic: [TLS] Safe ECC usage
Thread-Index: Ac7AM1NsVidsxPpMS3Sq7adPe9QRGg==
Date: Thu, 3 Oct 2013 12:23:11 +0000
Message-ID: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] Safe ECC usage
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Oct 2013 12:25:48 -0000

Santosh Chokhani <> writes:

>Simply copying RSA template and thus the key usage bits should not yield the
>behavior you mention.  RSA certificates should set the key encipherment bit.
>EC type certificates should not set that bit; the appropriate bit is key

My code, in its default configuration, strictly enforces keyUsage.  From this
I've found that both applications and CAs can set these bits more or less at
random, including completely illogical settings like keyAgreement for RSA
keys.  I've also found, through trial-and-error, that many applications
completely ignore them and use the keys in whatever way they feel appropriate
(the situation for PKCS #12 files in particular is so bad that after fighting
it for awhile I had to turn off checking of keyUsage entirely).  So this isn't
a case of copying an RSA template, it's broken software generating them and
equally broken software ignoring them.