Re: [6lo] [Lake] SEC-DIR review of AP-ND:
Rene Struik <rstruik.ext@gmail.com> Mon, 03 February 2020 21:05 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F3E9120CB1; Mon, 3 Feb 2020 13:05:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9EE_W1hGReue; Mon, 3 Feb 2020 13:05:27 -0800 (PST)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F21F120CAF; Mon, 3 Feb 2020 13:05:27 -0800 (PST)
Received: by mail-qt1-x82a.google.com with SMTP id w47so12618826qtk.4; Mon, 03 Feb 2020 13:05:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=3e1xb6lhKGg5QSV1i8bj/YtVo/i4UimVDhu3Zv+/Ndo=; b=dFP2/uWlqJfHZnYtll4Rp1u4IDO3GGA5Au2XFlDP42lDLkJiJR8JCL1bFfwW8tgcLT KGp9btGMaEXfKiyifeSRh/jnCCRdN8J1AElLyotpvCfSCJ4jJFp9TmOuH/J6WfaLPriI JAKyi4D7Kw0iEgHrWDJVJz2sPIw6u5B+wxmLbTR/o4X3vNELaA+eUM50ENZQDxUDjaXL UDevhlLYlGOV++v+lid/+fKYACqhPNAD3TFAHMczwMho3KfUD1eJOK23+NOW1hfpyfv+ 59wrhWgD7clR08SwzseeuxJURCsBR4s7dW92A8eicdfXix3c5OZsPj88a5eVGI2qBVCY fUxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=3e1xb6lhKGg5QSV1i8bj/YtVo/i4UimVDhu3Zv+/Ndo=; b=n8iaUqvQZtMldMOYiiOY1lVla272K8qRjKYLxUSXDeZz+8lJKiPKlCSqUVcOdc2+6G NuJAqerT8JHVeAfjQ30voNCHYzY0Dw3e23KpdVW+E4iwZTRzPOkwkrd+Ljy1PupI9WCj HZou3nV/ilaDA7K9xUKoRujRsTyVWMIoXaS6pdUWRZEwcmtGoT41okR4XJ4q1wmUike3 CymlXd8wJeFb2MD0sL0DbP58F7VNQZ99X9zPh+cXdfBRvjVtOG/vxv1JxnkWgvoDzf9U FzNXSAeK5iDQ5yy3UehFZ9qi4xHM3MFLUgqJMZhjJ/5KTHf1WbXru9RXUNxTYLnTALNR /Hhg==
X-Gm-Message-State: APjAAAXV6timJVdhiGolrOW01bi4MLAjhPvrLeRTRaRHZFWNJj3Gh93J xFi3PZx8iH8sMK9HgJ5mnFM=
X-Google-Smtp-Source: APXvYqxRlnYop0YcASKHSf02IhD2LOFv43YVKjlvOPxxvHxeD26hxgbQgoX7+cKL+6+vk/PrvcVWJg==
X-Received: by 2002:ac8:1635:: with SMTP id p50mr26177312qtj.13.1580763925963; Mon, 03 Feb 2020 13:05:25 -0800 (PST)
Received: from ?IPv6:2607:fea8:6a0:1a5a:7952:605f:9dd5:fa3f? ([2607:fea8:6a0:1a5a:7952:605f:9dd5:fa3f]) by smtp.gmail.com with ESMTPSA id o7sm9912356qkd.119.2020.02.03.13.05.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 03 Feb 2020 13:05:25 -0800 (PST)
From: Rene Struik <rstruik.ext@gmail.com>
To: Jim Schaad <ietf@augustcellars.com>, "'Pascal Thubert (pthubert)'" <pthubert@cisco.com>, draft-ietf-6lo-ap-nd@ietf.org
Cc: 6lo-chairs@ietf.org, "'Shwetha Bhandari (shwethab)'" <shwethab@cisco.com>, 'The IESG' <iesg@ietf.org>, 6lo@ietf.org, 'Benjamin Kaduk' <kaduk@mit.edu>
References: <MN2PR11MB3565A885E27E86C53205825BD8000@MN2PR11MB3565.namprd11.prod.outlook.com> <020301d5dabe$01c24d10$0546e730$@augustcellars.com> <d020a2b2-0fd6-b95d-dc1f-f16c143ab126@gmail.com>
Message-ID: <57e41325-e6fc-cdbd-8317-b1e10a008e2d@gmail.com>
Date: Mon, 03 Feb 2020 16:05:22 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2
MIME-Version: 1.0
In-Reply-To: <d020a2b2-0fd6-b95d-dc1f-f16c143ab126@gmail.com>
Content-Type: multipart/alternative; boundary="------------5CCEC4722B0798A268357DEB"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/nAv7cCgdzsFC706PeTaQ-pAZNSY>
Subject: Re: [6lo] [Lake] SEC-DIR review of AP-ND:
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2020 21:05:29 -0000
The second part of the sentence below (see ....) did not make it to my earlier email. My apologies. RS>> Reuse of the same public-private key pair with different signature schemes is not allowed. See also Security Considerations, Section 7.5. <<RS On 2/3/2020 3:46 PM, Rene Struik wrote: > Hi Jim: > > Just weighing-in on this: see below. > > Best regards, Rene > > On 2/3/2020 1:16 PM, Jim Schaad wrote: >> >> What is following is personal opinion (although I will admit to being >> one of the DEs on these registries): >> >> 1. I don’t think that you are going to be able to start doing >> compressed points easily in JOSE. It is a design philosophy >> that people really wanted at the time. There was extensive >> discussions about getting compressed points as well as how to >> expressed the point format. >> > RS>> I would be curious what this design philosophy was: if there is a > record of this, that would be great. It would be particularly > interesting to understand the reasoning as to why for Montgomery > curves and twisted Edwards curves compression is a must, while for > short Weierstrass curves this is forbidden... This is not just so with > JOSE, it is also in RFC 8152 (OKP vs. EC2 distinction). It seems to be > pretty random. <<RS >> >> 1. In my opinion, table 2 should not be referencing the Curve25519 >> in the last column. From my point of view when curves are >> expressed as using different coordinate systems then you need to >> be expressing these as different curves. An algorithm >> negotiation currently only needs to include the curve and not >> additionally include the point format. This needs to be >> maintained. I therefore believe that a new curve code point >> should be registered here. That is the only registration that I >> believe needs to be done in the JOSE registries. >> > RS>> Please note that the different crypto types in Table 2 refer to > complete specifications of signature schemes, including point > representation, bit/byte ordering, etc. Please note that curves > expressed in different coordinate systems are not really different: > only their representations are (unfortunately, this confusion is > caused by heavy marketing by some people in the past). The different > representations, not just of curve points, but also LSB/MSB and > lsb/msb ordering conventions, are already captured in Table 2. Since > different bit/byte ordering, even with the same curve, makes a > difference, representation conventions are the guiding metric, not > just different curve models. <<RS > >> 1. >> >> >> Note, I find section 7.5 to be missing a small piece of guidance that >> might be needed. If you use the “same” private key for both the >> Edwards and Weierstrass curve representations, is that a problem >> according to this guidance? >> > RS>> Reuse of the same public-private key pair with different > signature schemes is not allowed. See also Security Considerations, > Section 7.5. <<RS > >> Jim >> >> *From:* Lake <lake-bounces@ietf.org> *On Behalf Of *Pascal Thubert >> (pthubert) >> *Sent:* Monday, February 3, 2020 5:29 AM >> *To:* draft-ietf-6lo-ap-nd@ietf.org >> *Cc:* 6lo-chairs@ietf.org; Shwetha Bhandari (shwethab) >> <shwethab@cisco.com>; The IESG <iesg@ietf.org>; 6lo@ietf.org; >> lake@ietf.org; Benjamin Kaduk <kaduk@mit.edu> >> *Subject:* [Lake] SEC-DIR review of AP-ND: >> >> Dear all >> >> During SEC-DIR review, Benjamin pointed out: >> >> > Why do we need to allow ambiguity/flexibility as to the point >> representation >> >> > within a given Crypto-Type value (as opposed to fixing the >> representation as a >> >> > parameter of the Crypto-Type)? Alternately, what does "(un)compressed" >> >> > mean, as it's not really clarified directly? Furthermore, Table 2 >> lists an >> >> > "(un)compressed" representation for type 0 (over P-256), but RFC >> 7518 notes >> >> > that the compressed representation is not supported for P-256 (Section >> >> > 6.2.1.1). I also am not finding the needed codepoints registered >> in the JOSE >> >> > registries to use ECDSA25519 (crypto-type 2) -- do we need to register >> >> > anything there? >> >> Any idea how we can address this? >> >> In particular does anyone know why RFC 7518 does not support the >> compressed representation for P-256? Cc’ing LAKE on the impact of this >> >> Pascal >> > > -- > email:rstruik.ext@gmail.com | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
- [6lo] SEC-DIR review of AP-ND: Pascal Thubert (pthubert)
- Re: [6lo] [Lake] SEC-DIR review of AP-ND: Jim Schaad
- Re: [6lo] [Lake] SEC-DIR review of AP-ND: Jim Schaad
- Re: [6lo] [Lake] SEC-DIR review of AP-ND: Rene Struik
- Re: [6lo] [Lake] SEC-DIR review of AP-ND: Rene Struik
- Re: [6lo] [Lake] SEC-DIR review of AP-ND: Jim Schaad
- Re: [6lo] [Lake] SEC-DIR review of AP-ND: Rene Struik