Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate TLS 1.3 changes for issued certificates #884

Open
iadgovuser59 opened this issue Nov 20, 2024 · 0 comments
Open

Investigate TLS 1.3 changes for issued certificates #884

iadgovuser59 opened this issue Nov 20, 2024 · 0 comments
Assignees
@iadgovuser59
Labels
enhancement New feature or request

Comments

@iadgovuser59
Copy link
Collaborator

To support TLS 1.3 for ACA-issued certificates (LDevID and AK), the following would need to be considered:

  • Signature schemes. TLS 1.3 supports ECDSA, RSA-PSS, and EdDSA for end-entity certificates according to RFC 8446. Currently, RSA PKCS#1 v1.5 (via SHA256WithRSA) is being used when signing issued certificates, which is deprecated for CertificateVerify use in 1.3.
  • Key usage. The key usage may need to be digitalSignature only for TLS 1.3, vs. current use of digitalSignature and keyEncipherment, per the specification "TPM 2.0 Keys for Device Identity and Attestation".
  • Other. The rest of the CA chain should also be considered; that is, it should also use one of the above compatible signature schemes for TLS 1.3.
@iadgovuser59 iadgovuser59 added the enhancement New feature or request label Nov 20, 2024
@iadgovuser59 iadgovuser59 self-assigned this Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iadgovuser59 iadgovuser59

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@iadgovuser59