Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8800

Improve usability when selecting crypto tokens/algorithms on CA

    Details

      Description

      The current method for picking crypto token/signing algorithm looks like this: 

      1. Pick your signing algorithm
      2. Pick your crypto token from the list available according to signing algorithm
      3. Hope for the best

      This puts the cart before the horse, as it requires an understanding of what signature methods that can be applied to a crypto token. Users get confused if they've made the wrong selection, as their crypto token doesn't even show up on the list. Especially SSH CA's are highly restricted on what signing algorithms can be used for certain keys. 

      Improved method

      1. Pick the crypto token first. Next to the name should be a quick description of what's in that crypto token. The key encrypt key may not be EC, so should not even turn up as a choice. This should be explained in a permanent help text. This should in a next step be solved to that the key encrypt key can't even be created as EC on the crypto token page. 
      2. Pick the signing algorithm, based on which are applicable to the signing key. Again, the reason why the list is pruned should be explained in a help text. 

      Old Ticket Description

      There is a pending errata for RFC5480 that will say that EC keys ca not have keyEncryption
      https://mailarchive.ietf.org/arch/msg/spasm/ZdJn5ZmSK2IfB_fvgP_gmKoz5YE
      It is easy to make a mistake in EJBCA today. Bastian Fredriksson 's configuration checker warns about it, but the feature is experimental and not enabled by default.
      A couple of options:
      
      Add WARN log row when issuing such a certificate
      forbid completely issuing such a certificate (dangerous, you bet someone needs it)
      Enable configuration checker with this specific check by default, so every one will get these warnings after upgrading
      
      Perhaps I favor option 3 most, as that re-uses existing functionality. It would also start broad usage of this awesome feature, moving it out of experimental state.

       

       

       

        Attachments

        1. Screenshot 2020-05-29 at 11.26.02.png
          541 kB
          Mike Agrenius Kushner
        2. Screenshot 2020-05-29 at 11.26.02-1.png
          541 kB
          Mike Agrenius Kushner

          Activity

            People

            Assignee:
            sekano Serkan Ongan
            Reporter:
            mikek Mike Agrenius Kushner
            Verified by:
            Jekaterina Bunina
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: