<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:12.0pt'>David,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Thank you! That’s a great answer. It looks like OpenSSL does support CRMF? Would you or somebody else have an example of how to work with CRMF (to create it, and to process/sign it)?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'>Do you happen to know if CRMF is accepted by the “big players” in the CA field? <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:12.0pt'>Thank you again!</span></b><span style='font-size:12.0pt'><o:p></o:p></span></p><div><div><p class=MsoNormal><span style='color:black'>--<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>V/R,<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>Uri<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><i><o:p> </o:p></i></p><p class=MsoNormal><i><span style='color:black'>There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.</span></i><span style='font-size:12.0pt;color:black'><o:p></o:p></span></p><p class=MsoNormal><i><span style='color:black'>The other is to make it so complex there are no obvious deficiencies.</span></i><span style='font-size:12.0pt;color:black'><o:p></o:p></span></p><p class=MsoNormal><i><span style='color:black'> - C. A. R. Hoare</span></i><span style='font-size:12.0pt;color:black'><o:p></o:p></span></p></div></div><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>David von Oheimb <it@von-Oheimb.de><br><b>Date: </b>Monday, October 3, 2022 at 15:13<br><b>To: </b>Uri Blumenthal <uri@ll.mit.edu>, openssl-users <openssl-users@openssl.org><br><b>Subject: </b>Re: Q: creating CSR for encryption-only cert?<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='font-size:7.5pt;font-family:"Arial",sans-serif'>Requesting a cert in a CSR for a key pair that cannot be used for signing is indeed impossible in</span><span style='font-family:"Arial",sans-serif'> the widely used PKCS#10 format <br>(except if one break sthe PKCS#10 requirement of a self-signature, e.g., by applying a dummy signature). <br><br>A viable solution is to use a different CSR format, such as CRMF. <br>This format is the preferred one by CMP and CMC (while they also support PKCS#10) because it is much more flexible. <br>CRMF does not strictly require to provide a proof-of-possession (PoP), and it offeres also indirect ways of doing a PoP. <br>For instance, for encryption keys the new cert can be returned by the CA in encrypted form (using the new public key) to the EE, <br>and the EE will only be able to make use of the cert if it is able to decrypt it, which proves possession of the private key. <br><br>David <br><br><br>On Mon, 2022-10-03 at 15:11 +0000, Blumenthal, Uri - 0553 - MITLL wrote: <o:p></o:p></span></p><blockquote><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Arial",sans-serif'>> TLDR; <br>> Need to create a CSR for a key pair whose algorithm does not allow <br>> signing (either because it’s something like Kyber, or because <br>> restriction enforced by HSM). How to do it? <br>> <br>> There are several use cases that require certifying long-term <br>> asymmetric keys that are only capable of encryption/decryption – but <br>> not signing/verification. That could be either because the algorithm <br>> itself does not do signing, or because the private key is generated <br>> and kept in a secure hardware that enforces usage restriction. <br>> <br>> CSR is supposed to be signed by the corresponding private key to <br>> prove possession. Obviously, it cannot be done with a key such as <br>> described above. How is this problem addressed in the real world? <br>> With AuthKEM and KEMTLS, how would these protocols get their <br>> certificates? <br>> <br>> Thanks! <br>> -- <br>> V/R, <br>> Uri Blumenthal Voice: (781) 981-1638 <br>> Secure Resilient Systems and Technologies Cell: (339) 223-5363 <br>> MIT Lincoln Laboratory <br>> 244 Wood Street, Lexington, MA 02420-9108 <br>> <br>> Web: <a href="https://www.ll.mit.edu/biographies/uri-blumenthal">https://www.ll.mit.edu/biographies/uri-blumenthal</a> <br>> Root CA: <a href="https://www.ll.mit.edu/llrca2.pem">https://www.ll.mit.edu/llrca2.pem</a> <br>> <o:p></o:p></span></p></blockquote></div></div></body></html>