[gnutls-devel] GnuTLS | Interaction between enabled curves, key exchanges and signature algorithms (#1625)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Dec 10 15:06:15 CET 2024 


Alicja Kario (@mention me if you need reply) created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1625



It looks like the current configuration format isn't able to support all of the following user stories:

 - US1: I want to use CC-compatible policy, don't want to depend on P-256 for anything, I need hybrids with P-384 or certificates with P-384
 - US2: it's far future and ECC is broken by CRQC, but the hybrid key exchanges are widely deployed, so I don't want to trust ECC for signatures but I'm OK with it hybrid key exchanges and signatures
    (no ECC for certificates, only as part of hybrid)
 - US3: I want to test deployment of PQC, I want to enable hybrid algorithms now
 - US4: It's far future, and only pure algorithms are relevant/allowed by regulations, I don't want any hybrid or ECC enabled
 - US5: only hybrids and pure are allowed and the other peer only speaks hybrid

Problematic case: PQ world, we don't want to accept a ECC-only cert, but we're fine with ECC as part of hybrid


Solution 1: don't disable hybrid schemes if hybrid scheme is allowed even if one of the underlying primitives is disabled
  - confusing, counterintuitive for a setting supposed to disable the primitive

Solution 2: separate control for curves used in certs, similar to what we have for signatures

Solution 3: have the values in a new option (curve-for-pkix?) actually affect what signatures/curves are allowed for _every_ signature in the certificate chain with the ECDSA — issue: the algorithm IDs in TLS don't create a hard link between hash algorithm and curve for certificate signatures. Only for ECDSA, not EdDSA or post-quantum (curve primitive is enabled, pkix - disabled, groups - disabled => pkix disabled, hybrid enabled, direct usage of primitive is enabled)
   - Alex Sosedkin: if secure-sig-for-cert *relaxes* secure-sig (does it?), but curve-for-pkix relaxes secure-curve, that'd be inconsistent

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1625
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20241210/75748545/attachment.html>

More information about the Gnutls-devel mailing list