Support Ed25519 and Ed448


#1

I hope let’e encrypt could issue EDDSA certificates as the recently published RFC Proposed Standard Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure and The Transport Layer Security (TLS) Protocol Version 1.3 allow EDDSA to be the TLS authentication method.


#2

The RFC status is of course a good step in the right direction, but Let’s Encrypt is bound by the CA/B Forum Baseline Requirements, the rules a public CA needs to adher to be trusted in browsers.

In section 6.1.5. “Key Sizes” you can read about the key algorithms (and their key lengths) allowed in certificates. Currently, only RSA and ECDSA with NIST P-256, P-384, or P-521 curves are allowed. No EdDSA unfortunately.

As far as I can tell, currently there are no ballots out on adding EdDSA to the BR.


#3

Okay…Thank you.
I remembered that the CAB BR updates very quickly… I can only hope that the CAB Forum could add EdDSA in the near future


#4

For your reference: there already exists an issue on the Boulder GitHub-page: https://github.com/letsencrypt/boulder/issues/3649

It was closed by @jsha when the RFC was still a draft, I guess policy is to not have future features open in the issues. Although I’m not sure why one wouldn’t want to keep track of stuff what probably ultimately is going to happen. Perhaps b/c of cleanliness of the issues :slight_smile:

Chances are, Let’s Encrypt wants to wait until the BR allows EdDSA, choosing not to invest the spare development time to a feature of which isn’t clear when or if it will become reality one day.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.


#6

#7

As DarkSpirit on GitHub points out, the IETF has standardized the OIDs for Ed25519 et al. Additional stuff that needs to happen before Let’s Encrypt can sign Ed25519 end-entity certificates:

  • Browsers need to implement it.
  • CA/Browser Forum needs to pass a ballot allowing its use.

Note that we won’t be able to generate Ed25519 intermediate certificates until / unless our HSM vendor releases firmware supporting them.


#8

For CA/B forum to pass a ballot allowing Edwards-curve use, a member of CA/B forum has to bring it up. Are there any plans on LetsEncrypt doing that? I also suspect that getting it allowed with a ballot would mean there’s an actual motivation by HSM vendors to support those curves.


#9

Are there any new updates here?


#10

There was a recent thread on the CA/Browser Forum servercert-wg mailing list: https://cabforum.org/pipermail/servercert-wg/2018-December/000466.html. Chrome is supportive of these algorithms and would like to include them in Chrome, but has nothing concrete to share at this time.


#11

@jsha Thanks for keeping us posted! I appreciate having this information and updates gathered together without having to set up e.g., search keyword alerts (which are flaky anyway), or subscribing to the entirety of the CA/B forum discussions.


Though, the content of that thread is…certainly disconcerting :worried: (Thankfully at least there’s at least a few people there bringing up the fact that it’s sorta converging on a standoff/soft-deadlock)