Does CCF support RSA for user keys and certs? #2184
-
|
The CCF documentation page (https://microsoft.github.io/CCF/main/overview/cryptography.html?highlight=cryptography) seems to suggest that user keys must be ECDSA on curve P-256 or P-384. We are deploying CCF in an application, where the end-users are institutions that would like to use existing 3072-bit RSA keys. Basically, users would like to be identified via long established certs trusted by others rather than create a new one just for CCF. If CCF does not support RSA for user keys, our app will have to implement a participant registry with established keys, that others trust. Each end user will then have an additional CCF user key just to talk to CCF, but not useful otherwise in the global context of the application. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
That's right, CCF supports only secp384/secp256 at this time. We are not currently planning to add RSA, but I'd be happy to review a pull request, if you submit one. It would likely require a few changes/additions to our |
Beta Was this translation helpful? Give feedback.
-
|
@wintersteiger Thank you very much for the reply. Thank you for the offer to review a PR. I will get back if decide to push a PR. (based on if our customers do want this!). |
Beta Was this translation helpful? Give feedback.
That's right, CCF supports only secp384/secp256 at this time. We are not currently planning to add RSA, but I'd be happy to review a pull request, if you submit one. It would likely require a few changes/additions to our
KeyPairandPublicKeyclasses and enabling the compile-time macroNO_STRICT_TLS_CIPHERSUITES. I'm currently adding support for OpenSSL, which also required a little bit of refactoring of those classes (see #2123), which might make this a bit easier too.