18

Background

I've seen that Comodo has an elliptic curve root ("COMODO ECC Certification Authority"), but I don't see mention of EC certificates on their web site.

Does Certicom have intellectual property rights that prevent other issuers from offering EC certificates? Does a widely-used browser fail to support ECC? Is ECC a bad fit for traditional PKI use like web server authentication? Or is there just no demand for it?

I'm interested in switching to elliptic curve because of the NSA Suite B recommendation. But it doesn't seem practical for many applications.

Bounty Criteria

To claim the bounty, an answer must provide a link to a page or pages at a well-known CA's website that describes the ECC certificate options they offer, prices, and how to purchase one. In this context, "well-known" means that the proper root certificate must be included by default in Firefox 3.5 and IE 8. If multiple qualifying answers are provided (one can hope!), the one with the cheapest certificate from a ubiquitous CA will win the bounty. If that doesn't eliminate any ties (still hoping!), I'll have to choose an answer at my discretion.

Remember, someone always claims at least half of the bounty, so please give it a shot even if you don't have all the answers.

erickson
  • 291
  • 1
  • 3
  • 10
  • 1
    Also, ECC suffers from an extension of Shor's algorithm, so Quantum processors can break ECC (not as easily as RSA, but quickly enough to call it broken when Quantum processors get complex enough). There are currently 4-bit quantum processors (when they hit 1024-bit RSA is effectively worthless). There is no well analyzed replacement for RSA or ECC that is Quantum Processor safe. – Chris S Oct 08 '12 at 14:33
  • Maybe CAs were quietly trying to do us a favor by not offering EC certificates using curves with a [backdoor?](https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929) – erickson Sep 17 '13 at 04:33
  • It's somewhat unlikely that ECC has a NSA Backdoor. [The last time the NSA put a backdoor in something it was pretty obvious](http://crypto.stackexchange.com/q/10189/1218). Recently people have questioned hardware based random number generators, citing a lack of entropy as defeating even the best algorithms. – Chris S Sep 17 '13 at 13:53
  • 1
    Just to bump this topic: youtube has elliptic curve certificate signed with google's CA (ANSI X9.62 elliptic curve prime256v1 (aka secp256r1, NIST P-256)). The cert itself is signed with RSA-SHA1. – Smit Johnth Nov 29 '13 at 21:50
  • From http://en.wikipedia.org/wiki/NTRU "Unlike RSA and Elliptic Curve Cryptography, NTRU is not known to be vulnerable to quantum computer based attacks" Invented in 1996, patent could be more than 17 years soon. NTRU is already in IEEE Std 1363.1 And yet people are still using RSA2K and discussing about moving to ECC, which, since 1989, is known to be faster. –  Dec 19 '13 at 16:20
  • Do any CAs supporting ECC support https://tools.ietf.org/html/rfc7027 (brainpool curves)? – Brian Minton Mar 05 '15 at 15:21

5 Answers5

6

As a quick update, today Cloudflare deployed a new certificate for its blog signed by Comodo and using ECC...I guess ECC's for the general public are coming soon.

https://blog.cloudflare.com/

And Verisign (now Symantec) offers ECC in its Secure Site Pro line of certs

Albert Casademont
  • 86
  • 1
  • 1
  • Thanks for the update Albert! Looks like we're finally there. Unfortunately, since Snowden, I'm not sure I trust the standardized EC curves! – erickson Mar 11 '14 at 17:39
  • 1
    Still shows an RSA modulus for me when I check the certificate (latest stable Firefox) – Luc Jun 03 '14 at 07:49
  • Yes, same here - I see RSA, not ECDSA. – Eric Mill Sep 03 '14 at 22:11
  • Cloudfare backed away from the ECC cert on blog.cludflare.com (temporary as they claim), but if you follow ssllabs dashboard you see [a few](https://www.ssllabs.com/ssltest/analyze.html?d=xyiff.com&s=104.28.16.52) hosting offerings (server: cloudflare-gninex) with Comodo ECC certificates. – eckes Nov 08 '14 at 12:08
6

I wanted to dig a little deeper into this, so I contacted the folks at Comodo who are responsible for their ECC CA. After a bit of back and forth, they told me that Comodo have been advised that they need a license from Certicom/RIM before they can issue ECC certs, and that they are currently in licensing discussions with them. They didn't give an ETA for having those discussions finalized, so who knows when you can actually buy a cert.

paulr
  • 2,083
  • 13
  • 11
5

Found this link at entrust that I found useful. http://www.entrust.net/ecc-certs/index.htm

Basically, NSA Suite B is not trusted globally (at the root level) and no CA currently (as of Oct 2012) offer SSL certificates that meet the standard. You can sign your own certificate but modern browsers will display a very discouraging warning to users. Typically NSA Suite B certificates are integrated into applications that connect directly to secure servers. Keep in mind there is a lak of support in the browsers for ECC. ECC is part of TLS 1.1 which is only supported in Chrome v22+ by default [ http://en.wikipedia.org/wiki/Transport_Layer_Security#Browser_implementations ]

will Farrell
  • 151
  • 1
  • 3
  • You can use ECC keys with all major browsers and servers (in fact the Schannel support on IIS is better than for RSA as it supports GCM with ECDSA). And you can still sign those with RSA, this is what Comodo does for example. (and IE and Chrome do propose NIST curves only, sadly). – eckes Nov 08 '14 at 12:10
  • 1
    ECC is not "part of" TLS1.1. It was defined as an option for 1.0, and remains so in 1.1 and 1.2. Implementation and use has grown over time *during the same time as* the newer protocols so you are *likely* to find ECC with >=1.1 but that is not a requirement. – dave_thompson_085 Nov 27 '14 at 05:24
5

They are issued now by Comodo as part of their PositiveSSL offering. I can't say they're advertising it too well, but living proof by math exists:

-----BEGIN CERTIFICATE-----
MIID0DCCA3WgAwIBAgIQTOFIoMgcOpPD5P72Ag+HhTAKBggqhkjOPQQDAjCBkDEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMT
LUNPTU9ETyBFQ0MgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAe
Fw0xNDA2MTMwMDAwMDBaFw0xNTA2MTMyMzU5NTlaMFYxITAfBgNVBAsTGERvbWFp
biBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxGzAZBgNV
BAMTEnN3ZWV0dGhpbmdiaGFtLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BBkPJg217SKOh9qK1s4TVKI+fjT+6GQZH+HxS1cmr58G2HRFIkh/pkPjlgOdYPEr
KFwpA3d55XQB9IGXQuBdhU2jggHoMIIB5DAfBgNVHSMEGDAWgBS7+gjgv1TuWv0W
pDUCCamkyOz9SzAdBgNVHQ4EFgQUs78vzYsx4z/l3ScGLz7cZPJrV5kwDgYDVR0P
AQH/BAQDAgWAMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMFAGA1UdIARJMEcwOwYMKwYBBAGyMQECAQMEMCswKQYIKwYBBQUHAgEW
HWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMAgGBmeBDAECATBUBgNVHR8E
TTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9FQ0NEb21h
aW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5MHcw
TwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0VDQ0Rv
bWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA1BgNVHREELjAsghJzd2VldHRoaW5nYmhh
bS5jb22CFnd3dy5zd2VldHRoaW5nYmhhbS5jb20wCgYIKoZIzj0EAwIDSQAwRgIh
AJiXW3RVr/VrvRa3LwRjLYTKKTdFOMXsc/4ySeci/9tgAiEA7IDbRVOLxQ8cPEGs
rsp6KCSt/Dzu+H6n7DsgC2xxkHw=
-----END CERTIFICATE-----
StackExchange User
  • 246
  • 2
  • 11
3

I dont believe Certicom are preventing use of eliptical curve the MS2008 Certificate Authority offers Suite B. Im sure therefore the latest version of windows clients in 7 support its use. I'm going to go and have a look, it will be the MS cryptographic subsytem that would need to support it (CryptoAPI) and this has a plugin CSP architecture which would allow it to support it quite easily.

The following is taken from the entrust documentation on the topic:-

All the major CA software products support ECDSA, both for certificate and CRL signing and for end-user public keys. So, for applications that only require authentication and digital signatures, it should not be difficult to source a suitable CA product. The slower pace of standardization for ECC-based key agreement adds some uncertainty for applications that also require encryption. However, the major CA software suppliers all have advanced plans to support ECDH keys in end- user certificates. So, planning in this area carries only minor risk. Implementation, on the other hand, must await realization of these plans in shipping products

ECC requires less computational power than RSA and is therefore useful for embedded systems such as smartcards and for devices with less powerful processors such as wireless routers. It could be useful for web servers as it would require less processing by the web server to support TLS key exchange operations with obvious benefits for supporting high amounts of secure traffic. I think these factors will drive demand and also there will be high demand from the Government sector, around the world, which pay close attention NIST. This will also help push the technology as vendors seek to sell into this sector.

Mark Sutton
http://www.blacktipconsulting.com

Mark Sutton
  • 636
  • 5
  • 7
  • Windows 7, vista sp1 and 2008 support suite http://technet.microsoft.com/en-us/library/dd566200%28WS.10%29.aspx – Mark Sutton Dec 05 '09 at 10:10
  • Thanks for your input, Mark. I've found library support for ECC to be pretty good (including key agreement), and have used it successfully in internal applications where we can use certificates we "issue" ourselves. But I haven't been able to find a CA ready to sell me an ECDSA certificate for public use. – erickson Dec 06 '09 at 06:10
  • Mark, I updated my question to emphasize what I'm looking for. Your answer provides some useful information around the issue, but the key question is, "Where can I get a certificate?" – erickson Dec 18 '09 at 16:19