|Anonymous | Login | Signup for a new account||2017-02-22 06:08 UTC|
|My View | View Issues | Change Log | Roadmap | Repositories|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001202||Main CAcert Website||certificate issuing||public||2013-08-16 16:03||2016-09-17 13:02|
|Target Version||Fixed in Version|
|Summary||0001202: Support for Elliptic Curve Certificates|
|Description||As some experts are talking about the possibility that RSA and classic DH may be unsure to use in 4 to 5 years , it might be nice to have support for ECDSA certificates. I tried to sign a CSR using ECDSA some days ago but the system never returned a certificate... i assume it got ignored because ECC is not support by now.|
 .. http://fr.arxiv.org/abs/1306.4244 [^]
 .. http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/ [^]
|Additional Information||same as 0001238;|
have same experience using elliptic keys that are fine for Mozilla and others.
My signing request, on basis of key alg. secp384r1, still worked 6 months ago. But now asking for renewal the check_weak_key.php says that the key algorithm is not recognized and so signing done because of security. This is the default after only some RSA tests.
Now have to redo all security of the webserver because cacert doesn't know DH and elliptic keys anymore.
Requests were generated with latest openssl. Please restore this functionality!
|Tags||No tags attached.|
|I can confirm this. I remember from a short conversation with BenBE about this that OpenSSL just has to be upgraded. A quick look at cacert-devel a82f507306a9eba8a9f5dff82d2091dbd29edf71 confirms this.|
Hm, I don't understand - https://github.com/CAcertOrg/cacert-devel/commit/a82f507306a9eba8a9f5dff82d2091dbd29edf71 [^] updates some text files...?
Also, when I try to get a EC CSR signed, it's not "not returning a certificate", but it's printing out an error here, without much detail though:
1) openssl ecparam -name prime256v1 -out foo_ecparam.pem
2) openssl req -newkey ec:foo_ecparam.pem -sha512 -out foo_ec.csr \
-keyout foo_ec.key -nodes \
3) Go to https://www.cacert.org/account.php?id=10 [^] and paste foo_ec.csr gives:
The keys you supplied use an unrecognized algorithm.
For security reasons these keys can not be signed by CAcert.
|This still seems to be an issue. Are there any plans for this?|
|I cant do it as well. trying with p521 key for tinfoil hat reasons (replacing a 16k rsa key)|
There are plans for support for this.
The comment in https://github.com/CAcertOrg/cacert-devel/blob/release/includes/lib/check_weak_key.php#L205 [^] is related to DSA.
For ECDSA (ECC) to work, the appropriate checks need to be implemented to verify the provided ECDSA key is sane. These checks are currently still completely missing. Providing a patch for these will help greatly.
|2013-08-16 16:03||equinox||New Issue|
|2013-08-20 20:30||BenBE||Status||new => confirmed|
|2013-08-24 12:01||ott||Note Added: 0004246|
|2014-08-10 10:22||senora||Severity||feature => major|
|2014-08-10 10:22||senora||Additional Information Updated||View Revisions|
|2014-09-25 22:26||ckujau||Relationship added||has duplicate 0001238|
|2014-09-25 22:35||ckujau||Note Added: 0005031|
|2015-10-08 21:10||klondike||Note Added: 0005464|
|2016-01-19 00:04||My1||Note Added: 0005493|
|2016-02-02 20:20||BenBE||Note Added: 0005494|
|Copyright © 2000 - 2017 MantisBT Team|