Re: [TLS] Q: Creating CSR for encryption-only cert?

Hi Uri, all, Op di 4 okt. 2022 om 17:07 schreef Blumenthal, Uri - 0553 - MITLL < u...@ll.mit.edu>: > CSR is supposed to be signed by the corresponding private key to prove > possession. Obviously, it cannot be done with a key such as described > above. How is this problem addressed in the real wo

Re: [TLS] [lamps] Q: Creating CSR for encryption-only cert?

Hi Thom, Uri, et al, I had responded to Uri on the openssl-users list on Oct 3rd at 21:12 +0200 as follows: Requesting a cert in a CSR for a key pair that cannot be used for signing is indeed impossible in the widely used PKCS#10 format (except if one break sthe PKCS#10 requirement of a self-si

Re: [TLS] [lamps] Q: Creating CSR for encryption-only cert?

Hi David, Thanks for your email; you sent it right on time as I'd just started composing a similar email based on my reading of section 4.2 of RFC4211. Op do 6 okt. 2022 om 09:58 schreef Thom Wiggers : > > We weren't aware of CRMF, so it seems I've got some reading to do as I > write some paragr

Re: [TLS] [lamps] Q: Creating CSR for encryption-only cert?

On Wed, 05 Oct 2022 13:39:32 +1100 "Martin Thomson" wrote: > The integrity of TLS doesn't depend on the key holder presenting > proof of possession toward the issuing CA. Perhaps we could define > an extension that produced an empty signature, so that it could be > used for any algorithm without

Re: [TLS] [lamps] Q: Creating CSR for encryption-only cert?

For CT logs as in 'CT used for public web sites' there is no possibility to delay submitting. The only currently used mechanism is submission to CT logs of pre-certificates, before the final certificate is signed. So CT log entries will always be there, and so must the final certificate be issue

Re: [TLS] [lamps] Q: Creating CSR for encryption-only cert?

Hi Thom, On Thu, 2022-10-06 at 12:07 +0200, Thom Wiggers wrote: Thanks for your email; you sent it right on time as I'd just started composing a similar email based on my reading of section 4.2 of RFC4211. Op do 6 okt. 2022 om 09:58 schreef Thom Wiggers mailto:t...@thomwiggers.nl>>: We weren'

Re: [TLS] [EXTERNAL] Re: [lamps] Q: Creating CSR for encryption-only cert?

Hi Thom, > Yeah, that's something that came up a few times while we were working on > KEMTLS (and it eventually resulted in this paper by Güneysu, Hodges, Land, > Ounsworth, Stebila, and Zaverucha [1]). They also have some nice references > for the kinds of attacks that "sloppy" issuance could

Re: [TLS] [lamps] [EXTERNAL] Re: Q: Creating CSR for encryption-only cert?

> That said, I believe CT is not actually problematic because public CAs > (typically? always?) publish precerts in the SCT which are only the > TBSCertificate with no CA signature, so > the CT log does not actually contain enough data to successfully respond to > the PoP challenge That is no

Re: [TLS] [lamps] Q: Creating CSR for encryption-only cert?

Hi Tomas, all, Good discussion today, I'm learning some new things :D Op do 6 okt. 2022 om 13:37 schreef Tomas Gustavsson < tomas.gustavs...@keyfactor.com>: > For CT logs as in 'CT used for public web sites' there is no possibility > to delay submitting. > Ah, of course it does. I must've been

Re: [TLS] [lamps] Q: Creating CSR for encryption-only cert?

Hi Thom, Tomas, and Mike, On Thu, 2022-10-06 at 16:05 +0200, Thom Wiggers wrote: Good discussion today, I'm learning some new things :D me too, namely regarding CT in relation to certificate conformation [:-)] Yet please let's keep openssl-us...@openssl.org ou

Re: [TLS] [EXTERNAL] Re: [lamps] Q: Creating CSR for encryption-only cert?

> Precertificates, the same "base" TBSCertificate as the final cert + Poison > extension, is signed by the CA Right. Same end result though: you can not use the CT precertificate to satisfy an indirect encryption PoP challenge where the final certificate is the challenge text. --- Mike Ounswor

Re: [TLS] [lamps] [EXTERNAL] Re: Q: Creating CSR for encryption-only cert?

This is indeed an interesting discussion.So from my reading and understanding, the Encrypted POP would NOT be ideal when paired with a CT log is because the preCertificate would already be logged before the entity requesting certification was able to do proof possession of the private key.

Re: [TLS] [lamps] [EXTERNAL] Re: Q: Creating CSR for encryption-only cert?

Shouldn't it be possible to delay the addition to the CT log until the confirmation (which may be based on decrypting the new cert or any other challenge) by the EE has arrived at the CA? Looks like anyway all known PoP mechanisms for keys that cannot be used for signing appear to require a sec

Re: [TLS] [lamps] [EXTERNAL] Re: Q: Creating CSR for encryption-only cert?

A general question, motivated by "I need a different hammer because the one I'm currently using isn't able to pound screws in properly": Why is PoP actually required? And by this I don't mean "why is it in theory a good thing", I mean what actual attack that's been actively exploited in the real w

Re: [TLS] [lamps] [EXTERNAL] Re: Q: Creating CSR for encryption-only cert?

Hi Peter, We grappled with that same question in our recent work on non-interactive KEM PoPs, and I have to admit, came up emptier than we expected. See appendix A of: https://eprint.iacr.org/2022/703 --- Mike Ounsworth From: Peter Gutmann Sent: Thursday, Octo

Re: [TLS] Securely disabling ECH

Hi Rich and Eric, Thanks for the replies. Let me add to the picture: Client <-> *Middlebox* <-> TLS terminating <-> Desired Origin Or to put it in the TLS ECH draft terminology (split mode topology) - as per my understanding - : Client <-> *Middlebox* <-> Client-facing server <-> Backend serve