Creating an X25519 client certificate
Robert Moskowitz
rgm at htt-consult.com
Thu Mar 18 14:43:06 UTC 2021
On 3/17/21 9:48 PM, tincanteksup wrote:
>
>
> On 18/03/2021 01:22, Robert Moskowitz wrote:
>>
>>
>> On 3/17/21 8:17 PM, Viktor Dukhovni wrote:
>>> Well, CSRs are self-signed, and X25519 does not support signing, so
>>> you CANNOT have an X25519 CSR.
>>
>> Slap myself on the forehead....
>>
>> Of course I know that. But did not stop to think this through. :(
>>
>> Will read through all this and get back here....
>>
>
> Wait until you spend 3 days waiting for an answer about Firefox
> which I accidentally asked in #VBox ..
>
> My forehead still bears the palm print and smarts!
> I think it was the 'ox' which blinded me for so long. ;-)
I will have to discuss this with Russ...
A quick 'solution' to proof of ownership COULD be achieved IF:
The CA has an ECDH cert signed with its signing cert.
The client uses this to create a shared secret to KMAC the CSR.
The devil is in the details and I have other fish to fry...
More information about the openssl-users
mailing list