0001202: Support for Elliptic Curve Certificates - CAcert Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0001202	Main CAcert Website	certificate issuing	public	2013-08-16 16:03	2018-02-10 10:09

Reporter	equinox	Assigned To
Priority	normal	Severity	major	Reproducibility	N/A
Status	confirmed	Resolution	open
Platform	all	OS	all	OS Version	all

Summary	0001202: Support for Elliptic Curve Certificates
Description	As some experts are talking about the possibility that RSA and classic DH may be unsure to use in 4 to 5 years [1][2], it might be nice to have support for ECDSA certificates. I tried to sign a CSR using ECDSA some days ago but the system never returned a certificate... i assume it got ignored because ECC is not support by now. [1] .. http://fr.arxiv.org/abs/1306.4244 [2] .. http://www.technologyreview.com/news/517781/math-advances-raise-the-prospect-of-an-internet-security-crisis/
Additional Information	same as 0001238; have same experience using elliptic keys that are fine for Mozilla and others. My signing request, on basis of key alg. secp384r1, still worked 6 months ago. But now asking for renewal the check_weak_key.php says that the key algorithm is not recognized and so signing done because of security. This is the default after only some RSA tests. Now have to redo all security of the webserver because cacert doesn't know DH and elliptic keys anymore. Requests were generated with latest openssl. Please restore this functionality!
Tags	future, new feature

Reviewed by
Test Instructions

ott 2013-08-24 12:01 reporter ~0004246	I can confirm this. I remember from a short conversation with BenBE about this that OpenSSL just has to be upgraded. A quick look at cacert-devel a82f507306a9eba8a9f5dff82d2091dbd29edf71 confirms this.

ckujau 2014-09-25 22:35 reporter ~0005031	Hm, I don't understand - https://github.com/CAcertOrg/cacert-devel/commit/a82f507306a9eba8a9f5dff82d2091dbd29edf71 updates some text files...? Also, when I try to get a EC CSR signed, it's not "not returning a certificate", but it's printing out an error here, without much detail though: 1) openssl ecparam -name prime256v1 -out foo_ecparam.pem 2) openssl req -newkey ec:foo_ecparam.pem -sha512 -out foo_ec.csr \ -keyout foo_ec.key -nodes \ -subj "/C=AB/ST=Foo/L=Bar/O=Baz/OU=foo.net/CN=foo.net/emailAddress=admin@foo.net" 3) Go to https://www.cacert.org/account.php?id=10 and paste foo_ec.csr gives: The keys you supplied use an unrecognized algorithm. For security reasons these keys can not be signed by CAcert.

klondike 2015-10-08 21:10 reporter ~0005464	This still seems to be an issue. Are there any plans for this?

My1 2016-01-19 00:04 reporter ~0005493	I cant do it as well. trying with p521 key for tinfoil hat reasons (replacing a 16k rsa key)

BenBE 2016-02-02 20:20 updater ~0005494	There are plans for support for this. The comment in https://github.com/CAcertOrg/cacert-devel/blob/release/includes/lib/check_weak_key.php#L205 is related to DSA. For ECDSA (ECC) to work, the appropriate checks need to be implemented to verify the provided ECDSA key is sane. These checks are currently still completely missing. Providing a patch for these will help greatly.

travm1 2017-04-07 22:10 reporter ~0005544	Interesting read about ECC https://www.everipedia.com/Elliptic_curve_cryptography/

thalamus 2017-10-16 12:48 reporter ~0005558	awesome, thanks travm1 http://www.thalamus.co

Date Modified	Username	Field	Change
2013-08-16 16:03	equinox	New Issue
2013-08-20 20:30	BenBE	Status	new => confirmed
2013-08-24 12:01	ott	Note Added: 0004246
2014-08-10 10:22	senora	Severity	feature => major
2014-08-10 10:22	senora	Additional Information Updated
2014-09-25 22:26	ckujau	Relationship added	has duplicate 0001238
2014-09-25 22:35	ckujau	Note Added: 0005031
2015-10-08 21:10	klondike	Note Added: 0005464
2016-01-19 00:04	My1	Note Added: 0005493
2016-02-02 20:20	BenBE	Note Added: 0005494
2017-04-07 22:10	travm1	Note Added: 0005544
2017-10-16 12:48	thalamus	Note Added: 0005558
2018-02-10 10:09	L10N	Tag Attached: future
2018-02-10 10:09	L10N	Tag Attached: new feature