Re: [TLS] Enforcing keyUsage restrictions (was Re: Safe ECC usage)
Manuel Pégourié-Gonnard <mpg@elzevir.fr> Sat, 12 October 2013 03:23 UTC
Return-Path: <mpg@elzevir.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D829811E81CB for <tls@ietfa.amsl.com>; Fri, 11 Oct 2013 20:23:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yr64KQZl983B for <tls@ietfa.amsl.com>; Fri, 11 Oct 2013 20:23:48 -0700 (PDT)
Received: from mordell.elzevir.fr (mordell.elzevir.fr [92.243.3.74]) by ietfa.amsl.com (Postfix) with ESMTP id D068511E810E for <tls@ietf.org>; Fri, 11 Oct 2013 20:23:45 -0700 (PDT)
Received: from thue.elzevir.fr (thue.elzevir.fr [88.165.216.11]) by mordell.elzevir.fr (Postfix) with ESMTPS id 24972160C7; Sat, 12 Oct 2013 05:23:43 +0200 (CEST)
Received: from [192.168.0.124] (unknown [192.168.0.254]) by thue.elzevir.fr (Postfix) with ESMTPSA id 7D941299F7; Sat, 12 Oct 2013 05:23:34 +0200 (CEST)
Message-ID: <5258C06B.4010804@elzevir.fr>
Date: Sat, 12 Oct 2013 05:22:19 +0200
From: Manuel Pégourié-Gonnard <mpg@elzevir.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0
MIME-Version: 1.0
To: Santosh Chokhani <SChokhani@cygnacom.com>, Brian Smith <brian@briansmith.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <4262AC0DB9856847A2D00EF817E8113908E095@scygexch10.cygnacom.com>
In-Reply-To: <4262AC0DB9856847A2D00EF817E8113908E095@scygexch10.cygnacom.com>
X-Enigmail-Version: 1.5.2
OpenPGP: id=98EED379; url=https://elzevir.fr/gpg/mpg.asc
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Enforcing keyUsage restrictions (was Re: Safe ECC usage)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Oct 2013 03:23:54 -0000
On 12/10/2013 03:15, Santosh Chokhani wrote: > DS bit for RSA based TLS server is not appropriate since the Server key is > used by the client to encrypt and never used for digital signature > verification. > Your seem to have RSA key exchange in mind, while Brian was talking about ECDHE_RSA or DHE_RSA key exchanges, where the server's RSA key is used to sign the parameters in the ServerKeyExchange message. The point was precisely that, if the keyUsage bits were respected, then setting only DS would force to use only forward secret key exchanges with this certificate. Manuel.
- [TLS] Enforcing keyUsage restrictions (was Re: Sa… Brian Smith
- Re: [TLS] Enforcing keyUsage restrictions (was Re… Santosh Chokhani
- Re: [TLS] Enforcing keyUsage restrictions (was Re… Manuel Pégourié-Gonnard
- Re: [TLS] Enforcing keyUsage restrictions (was Re… Peter Gutmann
- Re: [TLS] Enforcing keyUsage restrictions (was Re… Martin Rex
- Re: [TLS] Safe ECC usage Yaron Sheffer