> On Nov 9, 2018, at 1:19 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
>
>> Well, ECDH keys (not really ECDSA) can do key agreement, and EC keys can be
>> used for encryption with ECIES.
>
> Sure, in theory, but in practice I've never seen an (EC)DH cert used in TLS
> (despite actively looking for one,
Nor have I, and I rather think that introducing fixed-(EC)DH ciphers into
TLS was a mistake, and glad to see them gone in TLS 1.3.
> since it'd be a collectors item for the
> cert collection [0]), and I doubt most implementations could even deal with
> one if they saw one. Also, I don't think any TLS implementation, or
> specification, does ECIES. So it's pretty much self-regulating...
And yet I guess the possibility exists that some poor slob deploys a TLS server
with an exotic EC key, that's supposed to be used for fixed-ECDH or CMS key
envelopment. Does that risk key compromise given how fragile EC signatures
when misused?
I guess I am willing to risk failing a tiny fraction of handshakes in this
case; and rumour has it I'd have some company, so the Haskell TLS library
(where I'm helping the maintainers at the moment) won't stand out from the
pack in being overly strict wrt. ECDSA keyUsage.
The idea is to actually relax the rules a bit from what they've recently
become, as based on the specs they're presently a bit too strict, and I
am trying to dial them back to more practical choices. If you think that
ECDSA keyUsage enforcement does more harm than good, I could reconsider,
but I am inclined to be more cautious with EC than with RSA.
--
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
