Re: [Cfrg] Requirements for curve candidate evaluation update
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 14 August 2014 02:39 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2732B1A074C for <cfrg@ietfa.amsl.com>; Wed, 13 Aug 2014 19:39:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnvU8NFdRtOK for <cfrg@ietfa.amsl.com>; Wed, 13 Aug 2014 19:39:38 -0700 (PDT)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3DA61A0747 for <cfrg@ietf.org>; Wed, 13 Aug 2014 19:39:37 -0700 (PDT)
Received: by mail-lb0-f177.google.com with SMTP id s7so462400lbd.8 for <cfrg@ietf.org>; Wed, 13 Aug 2014 19:39:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=//CQjwG4qB0Bg6RDdeMRcuhNLIX9/iPUQkmqKxaDW8Q=; b=U1GU6R8bBolBOtuxpIsiH8gjJM5yE0WBbzPN01es11y/KexR5vXw5F4DenhZXskhp5 cy4DizklPkPJqtB6sE9PsoxQciqpMTMaci6N6BKyZDjQcrKzVnM5YhK5ZYyaboEgEhWl wwdlT7rCmrNEEkgi18Dnkg91x4sieMd1QLnIAjvd71WwRIzmbv6XSk47eOfxvZORl/qE 2qSwo0/HVmDD3BID9EjE1spe5YIQhs8c54BKQYwl4oEgkCLSJQjtkPINXSeh/xbOA4c9 09kmxJQ9ZZIaONWitJSYDobq5eBEfc1uBO1qbzcI4IDOxFRodPjZFIaSKGi3ohYS9aay RlWQ==
MIME-Version: 1.0
X-Received: by 10.152.20.5 with SMTP id j5mr1644318lae.38.1407983976118; Wed, 13 Aug 2014 19:39:36 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.122.50 with HTTP; Wed, 13 Aug 2014 19:39:35 -0700 (PDT)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C7185A0C9093@USMBX1.msg.corp.akamai.com>
References: <CA+Vbu7wuAcmtAKJYEgAaSBTf6sj8pRfYpJhz2qV_ER=33mrk8Q@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7185A0C8CEB@USMBX1.msg.corp.akamai.com> <CAMm+LwikFfC7AoPyYn8EQsKXiv9X1uvGrdmwRXxiqcCSvNZsqA@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7185A0C9093@USMBX1.msg.corp.akamai.com>
Date: Wed, 13 Aug 2014 22:39:35 -0400
X-Google-Sender-Auth: SEGMBVe_JdsKbo7TcC4IQoZ1L3k
Message-ID: <CAMm+Lwh4DUEOH25sscu07A7FNzwL70xMCEjxRPNLb=6sYZP+EQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/1JjodBBOETXCIAYX4F8y8ZxocXM
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Requirements for curve candidate evaluation update
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2014 02:39:39 -0000
On Wed, Aug 13, 2014 at 10:27 PM, Salz, Rich <rsalz@akamai.com> wrote: >> Long term signature keys have to be generated and stored in HSMs > > So EDH keys do not, and therefore do not need HSM requirements, right? I don't see a large field of established use that would make availability of HSMs a gating factor for EDH. But obviously someone could come up with one. What I am trying to do here is to pare down the set of requirements WITHOUT throwing out any that could be show stoppers or gating deployment. The use of ECC to date in open standards based systems is so insignificant that we really should not think twice about blowing it all up and starting from scratch. But if we do that then someone has to tell the HSM vendors where we are going and some of them have to sign on. Not wanting to make a big fuss on the HSM requirement but it is definitely a potential gating factor. Using the same curve model for encryption and signature does not interest me in the slightest. I cannot see that as being a necessary requirement, it is just someone wanting things to be tidy. The only good reason to go to ECC right now is to get a bigger safety margin on your crypto. And it really makes no sense to want to do that and be shooting yourself in both feet by using signature keys for encryption or vice versa. The keys are plenty small enough to have separate encryption and signature keys. It would be no bad thing if we made it algorithmically impossible to attempt that type of abuse. I do want to junk the NIST curves though but not for the reason folk think. The big problem with ECC is the sheer length of time we have been waiting. Deployment is going to continue to be slow unless we get some sort of starting gun. One possibility is that the starting gun is breaking RSA1024 but having a new set of NSA-free curves agreed by IETF is good as well.
- [Cfrg] Requirements for curve candidate evaluatio… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Salz, Rich
- Re: [Cfrg] Requirements for curve candidate evalu… Watson Ladd
- Re: [Cfrg] Requirements for curve candidate evalu… William Whyte
- Re: [Cfrg] Requirements for curve candidate evalu… Mike Hamburg
- Re: [Cfrg] Requirements for curve candidate evalu… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… David Jacobson
- Re: [Cfrg] Requirements for curve candidate evalu… Salz, Rich
- Re: [Cfrg] Requirements for curve candidate evalu… Salz, Rich
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Benjamin Black
- Re: [Cfrg] Requirements for curve candidate evalu… Alyssa Rowan
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker
- Re: [Cfrg] Requirements for curve candidate evalu… Alyssa Rowan
- Re: [Cfrg] Requirements for curve candidate evalu… Watson Ladd
- Re: [Cfrg] Requirements for curve candidate evalu… D. J. Bernstein
- Re: [Cfrg] Requirements for curve candidate evalu… Tanja Lange
- Re: [Cfrg] Requirements for curve candidate evalu… Phillip Hallam-Baker