Ed25519 with Poly1305-Chacha20 Support in line with TLS 1.3 Standards


#1

Hello.
You plan to sign the certificates ed25519 using the encryption method Poly1305/Chacha20?
Modern browsers have long supported them.
OpenSSL >= 1.1 and LibreSSL >= 2.5 too.
Really miss the possibility to sign such a certificate.


#2

Browsers don’t support Ed25519 as a certificate signing method (They do support the related x25519, but that’s independent of the certificate). ChaCha20 is just down to the server configuration, you should already be able to enable it if you’re running the right releases of OpenSSL or LibreSSL.


#3

Thanks for the reply.
Could you please explain the differences between x25519 and ed25519 and curve25519 (KexAlgorithm from openSSH curve25519-sha256), it seemed to me that ed25519 and x25519 the same and browsers are ready to support not only rsa and ecdhe, but 25519, in any whatsoever form.
Ideally, I want as openSSH, use a signed key ed25519 only.


#4

Hi @Ilya_indigo

Are you looking for ciphers to use with SSH or TLS/SSL?

OpenSSH and browsers support different ciphers.

My understanding is while the ED25519 Curve has been implemented in multiple Crypto Libraries it is not yet an official standard

https://tools.ietf.org/html/rfc8032

So yes a lot of protocols and libraries support it but most of these are proprietary or SSH based protocols

https://ianix.com/pub/ed25519-deployment.html#ed25519-soon

TLS 1.3 will add support for this curve however as it is still in draft it’s not likely that it will be a supported curve for some time


https://tlswg.github.io/tls13-spec/

Let’s Encrypt support the P Series of Curves (P128,P256,P384)

Andrei


#5

I have also changed this to issuance tech

There is no need to request something that is not yet possible to do but it does make a good question about the support of the curve in general TLS/SSL landscape.

Another instereting article: https://blog.cloudflare.com/introducing-tls-1-3/

Andrei


#6

Thank you very much! :slight_smile:


#7

For (publically trusted) certificates to use new algorithms and/or curves, the CA/B Forum Baseline Requirements would need to be updated too by the way.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.