TL;DR Need to create a CSR for a key pair whose algorithm does not allow signing (either because it’s something like Kyber, or because restriction enforced by HSM). How to do it?
Longer version: There are several use cases that require certifying long-term asymmetric keys that are only capable of encryption/decryption – but not signing/verification. That could be either because the algorithm itself does not do signing, or because the private key is generated and kept in a secure hardware that enforces usage restriction. One example of a protocol that needs this is KEMTLS - which I hope is accepted, either as-is, or with simplification. CSR is supposed to be signed by the corresponding private key to prove possession. Obviously, it cannot be done with a key such as described above. How is this problem addressed in the real world? With AuthKEM and KEMTLS, how would these protocols get their certificates? A short discussion of this issue on the OpenSSL mailing list brought up Certificate Management Protocol (CMP) and CRMF format. Is that where we're heading? Are the "big CAs" on board with it? Thanks! -- V/R, Uri
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
