Re: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?

To: Dean Anderson <dean at av8.com>
Subject: Re: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?
From: Eric Rescorla <ekr at networkresonance.com>
Date: Wed, 22 Oct 2008 19:45:34 -0700
Cc: Simon Josefsson <simon at josefsson.org>, Alfred Hönes <ah at tr-sys.de>, tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <Pine.LNX.4.44.0810222055240.11989-100000 at citation2.av8.net>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <87iqrlf1pa.fsf at mocca.josefsson.org> <Pine.LNX.4.44.0810222055240.11989-100000 at citation2.av8.net>
Sender: tls-bounces at ietf.org
User-agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI)

At Wed, 22 Oct 2008 21:12:52 -0400 (EDT),
Dean Anderson wrote:
> 
> On Wed, 22 Oct 2008, Simon Josefsson wrote:
> 
> > Alfred "=?hp-roman8?B?SM5uZXM=?=" <ah at tr-sys.de> writes:
> > 
> > > (B)  Non-uniqueness of x509_name in Trusted CA Keys TLS extension
> > >
> > > The 3rd-to-last paragraph of Section 6 in the -03 version
> > > of the rfc4366-bis draft states:
> > >
> > > !  Note also that it is possible that a key hash or a Distinguished Name
> > > !  alone may not uniquely identify a certificate issuer (for example, if
> > > !  a particular CA has multiple key pairs). However, here we assume this
> > > !  is the case following the use of Distinguished Names to identify
> > > !  certificate issuers in TLS.
> > >
> > > It seems rather unlikely that this non-uniqueness happens for
> > > a key hash.
> > 
> > Can't you have multiple CA certificates for the same key?
> 
> You _can_ have multiple key pairs, but knowledge of any key pair allows
> one to calculate P and Q, so having multiple key pairs for the same
> modulus is a "bad idea", because with one pair one can calculate any
> other pair given one of the other pair.  I believe that both Schnier's
> Applied Cryptography, 2nd and the CRC Handbook of Applied Cryptography
> recommend against this practice.  The CRC Handbook gives the method to 
> calculate P and Q given the public and private keys.

The question is whether you can have multiple CA certificates with
*identical* keys, not multiple certificates with the same modulus but
different e/d. The answer to this is "yes". If you want to uniquely
identify a cert you shoul duse a hash of the cert.

-Ekr
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?
  - From: Dean Anderson

References:
- Re: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?
  - From: Simon Josefsson
- Re: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?
  - From: Dean Anderson

Prev by Date: Re: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?
Next by Date: Re: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?
Previous by thread: Re: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?
Next by thread: Re: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?
Index(es):
- Date
- Thread

Re: [TLS] rfc4366-bis-03 Discuss #2: hash alg. agility for TrustedCA?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.