[noise] certificate chains
Rhys Weatherley
rhys.weatherley at gmail.com
Sat Jun 30 15:58:57 PDT 2018
On Sun, Jul 1, 2018 at 8:41 AM, Arvid Picciani <aep at exys.org> wrote:
> Nice, Thanks.
>
> unfortunately i can't figure out how to use XK, because Noise of
> course uses x25519 not ed25519 so the public identities for DH dont
> match the identities used for signing,
> I found this thread from Trevor on signing using x25519
> https://moderncrypto.org/mail-archive/curves/2014/000205.html but
> there's no conclusion.
>
The CA's signature on the certificate needs to use ed25519, but the
subject's actual key would be x25519; i.e. "I the CA with signing key s
warrant that DH key d belongs to the subject with name n". The subject
might also own other keys, including for signing other people's
certificates. Those may also be included in the certificate but don't
matter for Noise session establishment.
Another approach is two-level: the CA signs the user's identity certificate
containing the user's ed25519 key, which the user themselves uses to issue
a transport certificate with their DH key. Both are included in the
certificate chain. This would make it easier for the user to rotate
transport keys over time under the same long-term identity.
Cheers,
Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180701/78869ec9/attachment.html>
More information about the Noise
mailing list