>> https://www.usenix.org/conference/woot15/workshop-program/presentation/hlauschek > > Some comments on this, it looks like it requires a "cert with static (EC)DH > key" in order to work, which would mean an X9.42 cert. Since no (public) CA > that I know of can handle or issue such certs, this probably provides a > reasonable amount of defence against this attackā¦
No, a regular ECDSA certificate would do. That is, the attack would work as long as - a client has an ECDSA certificate, and - it enables any static TLS_ECDH_* cipher suite, and - its ECDSA private key has been stolen (or chosen) by an attacker. Best, Karthik > > In terms of the suggested countermeasures: > >> Set appropriate X509 Key Usage extension for ECDSA and DSS certificates, and >> disable specifically the KeyAgreement flag > > Since the keyUsage flags are widely ignored by implementations, this won't > provide the protection that the text implies. > > Peter. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
