ECDH Certificate Signing
Is their a recommended RFC standard way to sign an ECDH certificate?
Given that the ECDH Private Key is not intended for digitalSignatures it seems wrong to sign a CSR with it's own Private Key.
It would seem logical that another trusted certificate/key should be used, such as a ECDSA certificate, and then both the ECDSA Certificate, and the signed CSR would then be sent to the CA for validation and signing. The CA would have to thereby make an assumption that the requestor had the private ECDH key.
But I can't see that PKCS#10 can support this format, so is there a standard mechanism for this?
I can see that the CA could generate an ECDHE challenge for the client and then the client could prove that it has the private key, but this is more of a protocol function than a traditional method for generating CSRs.
