IETF Logo Mail Archive

Re: [6lo] [Lake] SEC-DIR review of AP-ND:

Rene Struik <rstruik.ext@gmail.com> Mon, 03 February 2020 21:05 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F3E9120CB1; Mon, 3 Feb 2020 13:05:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9EE_W1hGReue; Mon, 3 Feb 2020 13:05:27 -0800 (PST)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F21F120CAF; Mon, 3 Feb 2020 13:05:27 -0800 (PST)
Received: by mail-qt1-x82a.google.com with SMTP id w47so12618826qtk.4; Mon, 03 Feb 2020 13:05:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=3e1xb6lhKGg5QSV1i8bj/YtVo/i4UimVDhu3Zv+/Ndo=; b=dFP2/uWlqJfHZnYtll4Rp1u4IDO3GGA5Au2XFlDP42lDLkJiJR8JCL1bFfwW8tgcLT KGp9btGMaEXfKiyifeSRh/jnCCRdN8J1AElLyotpvCfSCJ4jJFp9TmOuH/J6WfaLPriI JAKyi4D7Kw0iEgHrWDJVJz2sPIw6u5B+wxmLbTR/o4X3vNELaA+eUM50ENZQDxUDjaXL UDevhlLYlGOV++v+lid/+fKYACqhPNAD3TFAHMczwMho3KfUD1eJOK23+NOW1hfpyfv+ 59wrhWgD7clR08SwzseeuxJURCsBR4s7dW92A8eicdfXix3c5OZsPj88a5eVGI2qBVCY fUxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=3e1xb6lhKGg5QSV1i8bj/YtVo/i4UimVDhu3Zv+/Ndo=; b=n8iaUqvQZtMldMOYiiOY1lVla272K8qRjKYLxUSXDeZz+8lJKiPKlCSqUVcOdc2+6G NuJAqerT8JHVeAfjQ30voNCHYzY0Dw3e23KpdVW+E4iwZTRzPOkwkrd+Ljy1PupI9WCj HZou3nV/ilaDA7K9xUKoRujRsTyVWMIoXaS6pdUWRZEwcmtGoT41okR4XJ4q1wmUike3 CymlXd8wJeFb2MD0sL0DbP58F7VNQZ99X9zPh+cXdfBRvjVtOG/vxv1JxnkWgvoDzf9U FzNXSAeK5iDQ5yy3UehFZ9qi4xHM3MFLUgqJMZhjJ/5KTHf1WbXru9RXUNxTYLnTALNR /Hhg==
X-Gm-Message-State: APjAAAXV6timJVdhiGolrOW01bi4MLAjhPvrLeRTRaRHZFWNJj3Gh93J xFi3PZx8iH8sMK9HgJ5mnFM=
X-Google-Smtp-Source: APXvYqxRlnYop0YcASKHSf02IhD2LOFv43YVKjlvOPxxvHxeD26hxgbQgoX7+cKL+6+vk/PrvcVWJg==
X-Received: by 2002:ac8:1635:: with SMTP id p50mr26177312qtj.13.1580763925963; Mon, 03 Feb 2020 13:05:25 -0800 (PST)
Received: from ?IPv6:2607:fea8:6a0:1a5a:7952:605f:9dd5:fa3f? ([2607:fea8:6a0:1a5a:7952:605f:9dd5:fa3f]) by smtp.gmail.com with ESMTPSA id o7sm9912356qkd.119.2020.02.03.13.05.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 03 Feb 2020 13:05:25 -0800 (PST)
From: Rene Struik <rstruik.ext@gmail.com>
To: Jim Schaad <ietf@augustcellars.com>, "'Pascal Thubert (pthubert)'" <pthubert@cisco.com>, draft-ietf-6lo-ap-nd@ietf.org
Cc: 6lo-chairs@ietf.org, "'Shwetha Bhandari (shwethab)'" <shwethab@cisco.com>, 'The IESG' <iesg@ietf.org>, 6lo@ietf.org, 'Benjamin Kaduk' <kaduk@mit.edu>
References: <MN2PR11MB3565A885E27E86C53205825BD8000@MN2PR11MB3565.namprd11.prod.outlook.com> <020301d5dabe$01c24d10$0546e730$@augustcellars.com> <d020a2b2-0fd6-b95d-dc1f-f16c143ab126@gmail.com>
Message-ID: <57e41325-e6fc-cdbd-8317-b1e10a008e2d@gmail.com>
Date: Mon, 03 Feb 2020 16:05:22 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2
MIME-Version: 1.0
In-Reply-To: <d020a2b2-0fd6-b95d-dc1f-f16c143ab126@gmail.com>
Content-Type: multipart/alternative; boundary="------------5CCEC4722B0798A268357DEB"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/nAv7cCgdzsFC706PeTaQ-pAZNSY>
Subject: Re: [6lo] [Lake] SEC-DIR review of AP-ND:
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2020 21:05:29 -0000

The second part of the sentence below (see ....) did not make it to my 
earlier email. My apologies.

RS>> Reuse of the same public-private key pair with different signature 
schemes is not allowed.  See also Security Considerations, Section 7.5. <<RS

On 2/3/2020 3:46 PM, Rene Struik wrote:
> Hi Jim:
>
> Just weighing-in on this: see below.
>
> Best regards, Rene
>
> On 2/3/2020 1:16 PM, Jim Schaad wrote:
>>
>> What is following is personal opinion (although I will admit to being 
>> one of the DEs on these registries):
>>
>>  1. I don’t think that you are going to be able to start doing
>>     compressed points easily in JOSE.   It is a design philosophy
>>     that people really wanted at the time.  There was extensive
>>     discussions about getting compressed points as well as how to
>>     expressed the point format.
>>
> RS>> I would be curious what this design philosophy was: if there is a 
> record of this, that would be great. It would be particularly 
> interesting to understand the reasoning as to why for Montgomery 
> curves and twisted Edwards curves compression is a must, while for 
> short Weierstrass curves this is forbidden... This is not just so with 
> JOSE, it is also in RFC 8152 (OKP vs. EC2 distinction). It seems to be 
> pretty random. <<RS
>>
>>  1. In my opinion, table 2 should not be referencing the Curve25519
>>     in the last column.  From my point of view when curves are
>>     expressed as using different coordinate systems then you need to
>>     be expressing these as different curves.  An algorithm
>>     negotiation currently only needs to include the curve and not
>>     additionally include the point format.  This needs to be
>>     maintained.  I therefore believe that a new curve code point
>>     should be registered here.  That is the only registration that I
>>     believe needs to be done in the JOSE registries.
>>
> RS>> Please note that the different crypto types in Table 2 refer to 
> complete specifications of signature schemes, including point 
> representation, bit/byte ordering, etc. Please note that curves 
> expressed in different coordinate systems are not really different: 
> only their representations are (unfortunately, this confusion is 
> caused by heavy marketing by some people in the past). The different 
> representations, not just of curve points, but also LSB/MSB and 
> lsb/msb ordering conventions, are already captured in Table 2.  Since 
> different bit/byte ordering, even with the same curve, makes a 
> difference, representation conventions are the guiding metric, not 
> just different curve models. <<RS
>
>> 1.
>>
>>
>> Note, I find section 7.5 to be missing a small piece of guidance that 
>> might be needed.  If you use the “same” private key for both the 
>> Edwards and Weierstrass curve representations, is that a problem 
>> according to this guidance?
>>
> RS>> Reuse of the same public-private key pair with different 
> signature schemes is not allowed.  See also Security Considerations, 
> Section 7.5. <<RS
>
>> Jim
>>
>> *From:* Lake <lake-bounces@ietf.org> *On Behalf Of *Pascal Thubert 
>> (pthubert)
>> *Sent:* Monday, February 3, 2020 5:29 AM
>> *To:* draft-ietf-6lo-ap-nd@ietf.org
>> *Cc:* 6lo-chairs@ietf.org; Shwetha Bhandari (shwethab) 
>> <shwethab@cisco.com>; The IESG <iesg@ietf.org>; 6lo@ietf.org; 
>> lake@ietf.org; Benjamin Kaduk <kaduk@mit.edu>
>> *Subject:* [Lake] SEC-DIR review of AP-ND:
>>
>> Dear all
>>
>> During SEC-DIR review, Benjamin pointed out:
>>
>> > Why do we need to allow ambiguity/flexibility as to the point 
>> representation
>>
>> > within a given Crypto-Type value (as opposed to fixing the 
>> representation as a
>>
>> > parameter of the Crypto-Type)? Alternately, what does "(un)compressed"
>>
>> > mean, as it's not really clarified directly?  Furthermore, Table 2 
>> lists an
>>
>> > "(un)compressed" representation for type 0 (over P-256), but RFC 
>> 7518 notes
>>
>> > that the compressed representation is not supported for P-256 (Section
>>
>> > 6.2.1.1).  I also am not finding the needed codepoints registered 
>> in the JOSE
>>
>> > registries to use ECDSA25519 (crypto-type 2) -- do we need to register
>>
>> > anything there?
>>
>> Any idea how we can address this?
>>
>> In particular does anyone know why RFC 7518 does not support the 
>> compressed representation for P-256? Cc’ing LAKE on the impact of this
>>
>> Pascal
>>
>
> -- 
> email:rstruik.ext@gmail.com  | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867

v2.23.0 | Report a Bug | By Email