Michael Sierchio wrote:
>
> Dr S N Henson wrote:
>
> > The main problem is how you'd certify a DH key when it can't be used to
> > sign a certificate request.
>
> I do not understand your comments. There are excellent POP algorithms
> available for the certificate request phase (see Diffie-Hellman
> Proof-of-Possession Algorithms, RFC 2875), and of course such certs
> may be signed with RSA (preferred for speed of verification) or DSA.
>
I should have qualified it a bit more. It can't be handled in the same
way as other algorithms for PKCS#10 requests. The various techniques
require additional input and in the case of X9.42 the addition of a new
public key algorithm to OpenSSL.
Currently adding public key algorithms to OpenSSL is painful. There's
stuff hard coded all over the place. I've been meaning to make public
key algorithms "pluggable" for some time but its tricky to do and I've
been too busy with other things.
Even in the PKCS#3 case there's no I/O support for DH public and private
keys (e.g. a PEM format for DH) and no utilities to support them.
> > There are workatrounds but it would need quite a bit of work and very
> > few DH certificates are in general use.
>
> The PKIX profile used for 'dhpublicnumber' isn't much different from
> the one used for dsa parameters:
>
> dhpublicnumber OBJECT IDENTIFIER ::= { iso(1) member-body(2)
> us(840) ansi-x942(10046) number-type(2) 1 }
>
> DomainParameters ::= SEQUENCE {
> p INTEGER, -- odd prime, p=jq +1
> g INTEGER, -- generator, g
> q INTEGER, -- factor of p-1
> j INTEGER OPTIONAL, -- subgroup factor
> validationParms ValidationParms OPTIONAL }
>
> leaving off the optional parms,
>
> DomainParameters ::= SEQUENCE {
> p INTEGER, -- odd prime, p=jq +1
> g INTEGER, -- generator, g
> q INTEGER, -- factor of p-1 }
>
> The difference is that, in generation and validation for signing by the CA,
> q is not constrained to be a 160-bit (or other hashsize) prime factor of
> (p-1), and g and p may be global parameters chosen for esoteric properties.
>
> > Can you send me a sample DH certificate? It would be useful if we ever
> > need to support them.
>
> I'd be glad too... I'll scrounge some up. Meanwhile, any suggestions
> on hacking the dhparams tool to permit me to do the above?
>
The lack of DH certificates is part of the problem. I've only ever seen
them in one place and that is the S/MIME v3 examples group. I suspect
those are broken (the validation parameters: I suspect the examples in
RFC2875 are broken in the same way) but despite repeated requests I've
yet to find someone that can independently verify them or confirm they
are broken. I've taken that as an indication of how widespread they
are... Needless to say I don't know of one public CA that will sign DH
requests either.
Or to summarise, yes it is possible to add support in OpenSSL, no it
isn't very easy and I'm not sure how useful it would be if support was
added.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
