- From: Jeffrey Yasskin <jyasskin@chromium.org>
- Date: Thu, 12 Apr 2018 00:33:56 +0000
- To: Ilari Liusvaara <ilariliusvaara@welho.com>
- Cc: Jeffrey Yasskin <jyasskin@chromium.org>, Yoav Weiss <yoav@yoav.ws>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CANh-dXmyWqs3mTPN5LN7R3127-Hr7ODed_D4ozkgnntu7rdp2A@mail.gmail.com>
On Mon, Apr 9, 2018 at 11:34 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Mon, Apr 09, 2018 at 06:25:03PM +0000, Jeffrey Yasskin wrote: > > On Mon, Apr 9, 2018 at 10:26 AM Ilari Liusvaara < > ilariliusvaara@welho.com> > > wrote: > > > > > On Mon, Apr 09, 2018 at 05:00:28PM +0000, Jeffrey Yasskin wrote: > > > > On Mon, Apr 9, 2018 at 5:14 AM Ilari Liusvaara < > ilariliusvaara@welho.com > > > > > > > > wrote: > > > > > > > > > Specifically, this is because RsaEncryption keys can be used with > > > > > insecure static RSA key exchange that will yield a signing oracle > > > > > if one gets it even slightly wrong. And such oracles would be very > > > > > bad thing in context like this. > > > > > > > > > > In theory, this would not be needed for RSA-PSS, ECC or EdDSA > > > > > keys. But this requirement appiles even to them in name of > > > > > consistency. > > > > > > > > > > > > > Because we've switched to requiring new certificates, I've been > toying > > > with > > > > the idea of being much stricter with the set of allowed certificate > > > types. > > > > Do y'all think it'd be a good idea to require that everyone using v1 > of > > > > signed exchanges use exactly one kind of certificate, say secp256r1 > > > ECDSA? > > > > And if we did that, could we allow them to re-use that certificate > for > > > > their TLS servers? > > > > > > I do not like that very much... > > > > > > > Thanks. Could you say a little more about why? Which specific other > > certificate types do you want to be able to use before we use a v2 to > > revise the cryptographic suite? Are you looking for ed25519 support, keys > > with a security level higher than 128 bits, the ability to add > post-quantum > > algorithms, or something else? > > Pretty much that. > > > One slightly less bad one would be require certificate that is > > > considered ECDSA-type (TLS_ECDHE_ECDSA_WITH_*) in TLS 1.2 (which > > > includes EdDSA certificates). Of course, that would be somewhat > > > complicated rule. > > > > Or a certificate usable with "a non-legacy, non-RSA signature algorithm > > accepted by TLS 1.3", which today would be ecdsa_secp256r1_sha256, > > ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, or ed448? Or is > > there a TLS 1.2 algorithm you definitely want to use? > > Well, that is pretty much the same set of certificates as used by > TLS_ECDHE_ECDSA_WITH_* in TLS 1.2. > > > It sounds like you might be fine with using a non-RSA certificate as > both a > > TLS server certificate and package-signing certificate? > > Yeah, I consider RSA pretty much legacy. > Thanks. I have a PR implementing this at https://github.com/WICG/webpackage/pull/179, which I'd love folks to review. Jeffrey
Received on Thursday, 12 April 2018 00:34:34 UTC