David Kemp <dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil> writes: (David P. Kemp)
I'm not clear on what scenario you have in mind. DH long-term public
keys can be certified to allow the sender to authenticate the recipient,
but do not allow the recipient to authenticate the sender; for that a
certified signature key is required.
Can you describe the protocol/usage mode that requires two *certified*
DH public keys per entity, in addition to the certified signature key?
Is this talking about certification requests which (must?) be self
signed to prevent DoS attacks?
In that case if you have a DH cert the certificate request can not be
signed by the DH key (because it is a key exchange only key).
So you need a pair of keys forming one certificate (a combo cert), one
a signing key (DSA or RSA) and the other the DH key. Then the signing
key can sign both the DH key and the signing key.
Where are these combo certs described? Are these combo certs what is
supposed to be used with SSLv3 DH certificates?
Are we also describing the scenario where there are two separate
certs, one signature cert (DSA/RSA) and one encryption only cert (DH)?
If so how are DoS attacks prevented when the user sends the CA his
certficate request asking for the DH key to be certified?
Adam