Can/should ISRG submit a proposal to support Ed25519/Ed448 certificates to CA/B Forum?


#1

In 2019, ISRG is going to create a ECDSA root certificate, which is good but ECDSA and P-256 and P-384 curves are not considered very secure by cryptographers. Also P-384 currently is not correctly implemented in OpenSSL (it is extremely slow). I think ISRG should strongly advise CA/B Forum to allow Ed25519 and Ed448 certificates and then focus on quantum computer-resistant signing algorithms.


#2

Hi @flyaway_charger,

What’s the state of support for these algorithms in browsers and other TLS clients?


#3

Chrome/Chromium already uses Curve25519 as key exchange curve (X25519) in EDHE.

I’m always disappointed when people wait for some other party to implement something. What remains is a chicken and egg dilemma. I already know that even when Chrome/Chromium has some Ed25519 support, it will refuse to implement Ed25519 EdDSA because no CA can issue such certificates.


#4

There was an interesting CA/B Forum thread in December:

https://cabforum.org/pipermail/servercert-wg/2018-December/thread.html#463


#5

Quoting Wayne from that thread:

So, if you are a cryptographer or know one who would like to work on that ticket, thay would be one way to advance the progress of EdDSA in browsers.


#6

OpenSSL already supports Ed25519 and Ed448 certs.
openssl req -x509 -newkey Ed25519
openssl req -x509 -newkey Ed448

Some VPN providers already use them for OpenVPN server authentication.