<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p style="color: #777777;">
<a href="https://gitlab.com/dkg">Daniel Kahn Gillmor</a>
<a href="https://gitlab.com/gnutls/gnutls/-/issues/1227#note_570481898">commented</a>:
</p>
<div style="">
<p dir="auto">Note also that when generating a certificate with an EC public key (e.g. using NIST's P-256 curve), it is not necessarily an ECDSA key -- the same public might be used for ECDH in a CMS (S/MIME) context, as specified in <a href="https://tools.ietf.org/html/rfc5753" rel="nofollow noreferrer noopener" target="_blank">RFC 5753</a>.  Such a certificate should <em>not</em> be marked with the "digital signature" flag, but rather with the "key agreement" flag (and maybe also wants to include some <a href="https://tools.ietf.org/html/rfc4262" rel="nofollow noreferrer noopener" target="_blank">S/MIME capabilities</a> to indicate what flavors of ECDH are preferred, as in <a href="https://tools.ietf.org/html/rfc5753#section-6" rel="nofollow noreferrer noopener" target="_blank">§6 of RFC 5753</a>).</p>
<p dir="auto">I know that certtool is not typically used for CMS or S/MIME, and that barring a fix for <a href="https://gitlab.com/gnutls/gnutls/-/issues/1185" data-original="#1185" data-link="false" data-link-reference="false" data-project="179611" data-issue="79659041" data-reference-type="issue" data-container="body" data-placement="top" title="Feature request: CMS (PKCS#7) encryption (enveloped and authenveloped data) in `certtool`" class="gfm gfm-issue has-tooltip">#1185</a>, the user won't be able to use such an ECDH certificate with GnuTLS tooling itself, but it is still useful for certtool to be powerful enough to be able to generate such a certificate.</p>
</div>


</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1227#note_570481898">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/-/sent_notifications/fde37f0171cbc7f6f3bdee221f679c8a/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1227#note_570481898"}}</script>


</p>
</div>
</body>
</html>