App Transport Security - Elliptic-Curve (ECC) - which certificate authority?

Question

mobiledatabooks OP

Created Jul ’15

Replies 2

Boosts 0

Views 1.4k

Participants 2

--------------------------------------------------------

From App Transport Security requirements:

TLS requires at least version 1.2.

Connection ciphers are limited to those that provide forward secrecy (see below for the list of ciphers.)

The service requires a certificate using at least a SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key.

Invalid certificates result in a hard failure and no connection.

--------------------------------------------------------

The performance is most iportant for our App. It is on App Store and we need

to udate the server according the new App Transport Security requirements.

The server I am using (Golang) supports

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

which is in accepted ciphers list.

With ECDSA I can get the same level of security as RSA but with smaller keys

So if I am using Elliptic-Curve (ECC) key I can get better server speed.

Now the question is: what trusted certificate authority can purchase a such certicate from?

Which is most affordable?

Boost

Answer 1

mobiledatabooks OP

Jul ’15

I got also this contradictoryr information:

http://www.symantec.com/content/en/us/enterprise/white_papers/b-wp_ecc.pdf

pp. 22:

90K Get with 68% Reuse on Mobile

The mobile tests have a dependency on the mobile/wireless provider (AT&T LTE) network and that is a variant and therefore numbers captured here are likely to change on subsequent tests . We had run these tests a multitude of times and a general trend was observed in that RSA beats ECC and this was confirmed by the response time numbers clocked on the mobile device . That is emphasized through the inclusion of the following graphs .

From these, we do see the effect of the vagaries of LTE traffic but a pattern is observed in which RSA (both RSA-2048 and RSA-3072) outperforms ECC-256 . This can be attributed to the effect of the public-key cryptographic operations that are more intensive on the client for ECC-256 .

These data are two years old and it is good to know what are te numbers for iOS 9?

0

Answer 2

DTS Engineer OP

Apple

Jul ’15

Now the question is: what trusted certificate authority can purchase a such certicate from?

AppleCare publish a list of trusted root certificates for each OS we ship. I don't think the iOS 9 one is out yet (which makes sense given that iOS 9 is not yet released) but the iOS 8 one is available here and my experience is that the list does not change radically from release to release.

I can't make specific recommendations as to which of these CAs best meets your requirements; perhaps some other folks, with more experience in this area, will chime in.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0