[RFC] self-signed certificates for LuCI

Michael Richardson mcr at sandelman.ca
Mon Aug 31 14:34:20 EDT 2020


Stijn Tintel <stijn at linux-ipv6.be> wrote:
    >> The question came up if we really want RSA certificates for LuCI or if
    >> the faster and "more modern" ECC P-256 wouldn't be a better choice.
    >>
    >> If px5g is added to the next release, certificates are generated on
    >> first boot and most users are unlikely to manually recreate RSA ones,
    >> not?
    >>
    >> So the question, shouldn't we drop all crypto options from the new
    >> px5g implementation and _only_ offer P-256? Whoever wants something
    >> else than the default may use px5g-mbedtls or some OpenSSL based tool?

    > I'm no expert, but I recently came across this article:
    > https://gravitational.com/blog/comparing-ssh-keys/
    > While it is about SSH keys, it talks mostly about algorithms used, and
    > the article suggests using either RSA or Ed25519, not DSA or ECDSA.

Yes, both DSA and some forms of ECDSA require a good random number.
If the random number can be predicted, then an observer can actually derive
the *private* key from the signature!  Scared the pants off me when I learnt
this 20 years ago.

There are ways to use ECDSA where the number input is derived in a way that
is not subject to this attack, and most libraries do that now.
DSA/DSS has all sorts of other stupid things that make it way worse than RSA
(despite what the GNUPG team said for a few years a decade ago)

    > Additionally, https://safecurves.cr.yp.to/ claims neither P-256 nor
    > P-384 are safe.

Bernstein has maintained for sometime that the NIST/Certicom curves were
derived in a specific way that permitted some secret factorization.

I understand his concern, and given the choice, I would use EdDSA in new work rather than ECDSA.
But, browsers do not support EdDSA well yet, so ECDSA it is for now.
However, to date (despite Snowden) only the NSA knows what they did to
P256/P384, if they did anything.  I would suspect that if they can do
something, it's not that cheap, and they can't undo all communication
magically. (Like in the movie _Sneakers_)

    > Based on this information, I would NAK this. Unless an expert proves me
    > wrong.

I would NAK on _only_ P256.  I am fine with P-256 by default.
I see no reason to support RSA.
I would always want a second curve deployed, and for that I'd pick one of
the brainpool curves: will browsers support them, I have no idea.
EdDSA is really a different algorithm, and browsers do not support them yet.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200831/408eb58f/attachment.sig>


More information about the openwrt-devel mailing list