[gnutls-devel] GnuTLS | certtool automatically applies "digital signature" usage flag for EdDSA and other certificates (#1227)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat May 8 05:27:14 CEST 2021




Daniel Kahn Gillmor commented:


Note also that when generating a certificate with an EC public key (e.g. using NIST's P-256 curve), it is not necessarily an ECDSA key -- the same public might be used for ECDH in a CMS (S/MIME) context, as specified in [RFC 5753](https://tools.ietf.org/html/rfc5753).  Such a certificate should *not* be marked with the "digital signature" flag, but rather with the "key agreement" flag (and maybe also wants to include some [S/MIME capabilities](https://tools.ietf.org/html/rfc4262) to indicate what flavors of ECDH are preferred, as in [§6 of RFC 5753](https://tools.ietf.org/html/rfc5753#section-6)).

I know that certtool is not typically used for CMS or S/MIME, and that barring a fix for #1185, the user won't be able to use such an ECDH certificate with GnuTLS tooling itself, but it is still useful for certtool to be powerful enough to be able to generate such a certificate.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1227#note_570481898
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210508/1a64af64/attachment.html>


More information about the Gnutls-devel mailing list