[Cryptography] Post Quantum Crypto
Viktor Dukhovni
cryptography at dukhovni.org
Thu Nov 12 21:51:26 EST 2015
On Fri, Nov 13, 2015 at 03:23:51AM +0100, Philipp Gühring wrote:
> > > I believed that handling 2 different certificates will be too complex
> > > (errorprone) and therefore too costly for the users.
> >
> > On the other hand, this works now,
>
> Are you sure? I would expect quite a number of systems to not be able to
> handle 2 different certificates for the same identity. And it would likely
> leave us open to downgrade attacks against NTRU in case NTRU were found to
> be weaker than RSA, if both certificates are equal. I am not sure, whether
> we should propose that.
With OpenSSL it is possible to field separate concurrent certificates
for ECDSA, RSA and DSA. If NTRU came along, it would be possible to
start deploying and testing NTRU certificates and ciphersuites.
You'd not be protected agaist a "downgrada" to RSA once RSA is
sufficiently vulnerable to enable impersonation. At that point
we'd have to promptly abandon RSA.
> I think that there are lots of software-stacks out there that can only
> manage one certificate for an identity. Has anyone done large-scale
> interoperability tests for a 2-certificate scenario? Could I see the
> results please?
Postfix works with multiple certificates out of the box, and has done
so for over a decade:
http://www.postfix.org/postconf.5.html#smtpd_tls_cert_file
http://www.postfix.org/postconf.5.html#smtpd_tls_dcert_file
http://www.postfix.org/postconf.5.html#smtpd_tls_eccert_file
No "studies" are required, this is not an interoperability issue,
rather it is a question of application configuration file semantics.
Some server software might not expose the feature to its users, or
might use a TLS library that has no such feature.
> I am sorry, but this is wrong:
>
> https://www.apple.com/certificateauthority/ca_program.html
>
> "A maximum of three roots per CA provider can be accepted because each
> additional root negatively impacts users by increasing download time."
This is a real requirement of the TLS protocol, if more roots were
needed, Apple would make appropriate accomodations.
--
Viktor.
More information about the cryptography
mailing list