Closed Bug 340043 Opened 14 years ago Closed 3 years ago

Implement "fixed_ECDH" TLS client auth methods on client side

Categories

(NSS :: Libraries, enhancement, P4)

3.11.1
enhancement

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: nelson, Unassigned)

References

()

Details

RFC 4492 (ECC in TLS) defines 3 methods for client authentication.
NSS presently implements only the first one: ECDSA_sign 
which is most like the client auth method used with RSA certs.

This RFE asks for NSS to implement the other two, 
          ECDSA_fixed_ECDH      
          RSA_fixed_ECDH    
on the client side, so that an NSS client can use these methods with 
a server that requests them.
Priority: -- → P4
This is something that I hope to discuss at one of the upcoming NSS meetings. I am going to argue that Firefox should NOT implement support for fixed DH or fixed ECDH client certificates. Avoiding these cipher suites will enable some more bypass-mode-like optimizations that I'm considering for Firefox to solve a variety of issues affecting Firefox.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.