Hi Daniel, > To actually ask a question, does OpenXPKI actually support ECC keys, or do > only parts have limited support? I’m also fairly new to more complicated PKI > so perhaps my understanding of it is not up to snuff and I’m missing > something obvious.
OpenXPKI as a trustcenter software solution does support EC keys, as in that it can use and process certificates which use elliptic curves. (There are some currently technical limitations with regard to HSM support of CA EC keys, but this is a different story) As you mentioned, elliptic curve cryptography by itself cannot be directly used to encrypt data. The internal datapool encryption ultimately performs data encryption via the OpenSSL smime command which does not support encryption via ECC. This is due to historical reasons - the cms command was not available in openssl when this code portion was written, we would have to refactor this to support ECC encryption with static DH parameters. We have plans to make the datapool encryption mechanism easier from a user perspective and manage it internally, possibly without a certificate, but this is low on our priority list. Now, although I am a big fan of elliptic curves, I am less enthusiastic about EC encryption with static DH parameters. I am in favor of simply using the right (or lets say simpler) tool for this case, and this is an RSA key. So my suggestion is to simply use a RSA certificate for the datapool encryption certificate. Note that you can still have EC CA keys and also support EC end entity certificates for other use cases. > P.S.: Are there plans to update the documentation? It’s incredibly patchy, > with some information seemingly missing from some locations, e.g. the > quickstart doesn’t mention anything about key encryption, but the realm > configuration explains that the key must be encrypted, so I’m not sure which > it is. There are TODOs in many areas as well, unfortunately in places where > more detail would be useful. Our team is committed to keep the OpenXPKI Open Source code base current and adapt the Open Source documentation when necessary, but we have limited resources. Admittedly the Open Source documentation is surely not complete - OpenXPKI is a complex and highly configurable software, and a full documentation effort is a huge undertaking. However, please note that OpenXPKI is also available as an Enterprise Edition from White Rabbit Security GmbH which comes with packaging for all major operating system platforms and also extensive documentation (currently over 160 pages). If you are considering using OpenXPKI in a professional environment, the Enterprise Edition might be a sensible choice over the OpenSource variant. Best regards, Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
