Re: [Cfrg] On "non-NIST"
Phillip Hallam-Baker <phill@hallambaker.com> Sat, 28 February 2015 17:39 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E437B1A7007 for <cfrg@ietfa.amsl.com>; Sat, 28 Feb 2015 09:39:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0MvD3SG8B_A for <cfrg@ietfa.amsl.com>; Sat, 28 Feb 2015 09:39:10 -0800 (PST)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97F661A1BF5 for <cfrg@irtf.org>; Sat, 28 Feb 2015 09:39:09 -0800 (PST)
Received: by lbiv13 with SMTP id v13so4052805lbi.11 for <cfrg@irtf.org>; Sat, 28 Feb 2015 09:39:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=cSjOKS678Tov6X1/oCIzTAP12TOlHPPxpa1Vo+nO25o=; b=oNJD4Boj7WQimlSFwXr4WlBrNeWhRuKfU1+R0YYPcx3x8F8r5ea0qpQnm3tD6r8GL5 +BxXM9NaI4Tc3P2sZ6FvdQBCtE/+UH9GQC/NCnzK35rclkliYdsKp0t/Y2DsJtsmoEuf OTmJ6fmkd0UaD+NCQ/Bqg9a2lsGqtcCBeOpJYUESxTUX4FgzMUXzP3qWPyH+6Hmr8D7e WqLSfydZZx9vbewrEBK6BxJKi65sZpIf+uJCxV/aOsHdv9JV7pNUnR0F2VW43whOKvab OrfoEYMV3imuV49YjH/bsi+gSEZZCaxKCrQGOQFDAR0PPpatYsaeTGAUyvji15DgkUNu gijA==
MIME-Version: 1.0
X-Received: by 10.152.191.135 with SMTP id gy7mr17268045lac.91.1425145147989; Sat, 28 Feb 2015 09:39:07 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.113.3.165 with HTTP; Sat, 28 Feb 2015 09:39:07 -0800 (PST)
In-Reply-To: <CACsn0ckHyRiLBiRe9Vg4TJMUg-+c8vbB2e-QKuHbuZ_NiqC2UA@mail.gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAF91123@uxcn10-5.UoA.auckland.ac.nz> <BE305B0B-80D2-48C6-ACE6-6F6544A04D69@vpnc.org> <CACsn0ckHyRiLBiRe9Vg4TJMUg-+c8vbB2e-QKuHbuZ_NiqC2UA@mail.gmail.com>
Date: Sat, 28 Feb 2015 12:39:07 -0500
X-Google-Sender-Auth: tBcsLbKFeSiLnv0daSl2BWqdA8A
Message-ID: <CAMm+Lwiqn9rXoaJx6vO8ULcd4aJeLqcCAcLMyckCLWYRjPLYEg@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="001a1134303a4ca72c0510297649"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/9rTg8UpqiCVozvEpTOcRiQYLQHk>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [Cfrg] On "non-NIST"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Feb 2015 17:39:12 -0000
On Sat, Feb 28, 2015 at 12:17 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Sat, Feb 28, 2015 at 7:41 AM, Paul Hoffman <paul.hoffman@vpnc.org> > wrote: > > On Feb 28, 2015, at 12:59 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> > wrote: > >> > >> Paul Hoffman <paul.hoffman@vpnc.org> writes: > >> > >>> The term "non-NIST" is predictive, and the crypto community kinda > sucks at > >>> predictions. We have no idea what NIST will do in the future if a > bunch of > >>> IETF WGs adopt specific elliptic curves that are not P256/P384. > >> > >> Why is NIST seen as the ultimate arbiter of what's appropriate though? > > > > Not "the", but "an". The reason is that NIST controls what can and > cannot be given a FIPS-140 certification, and that certification is > considered important both by companies who want to sell to the US Govt and > companies that use their certification as a statement that "we did it > right". If you make an HSM that uses an algorithm not allowed by NIST, you > cannot get it certified in the CMVP regime. Thus, when NIST is slow to keep > up with the best practices adopted by the community, it becomes a roadblock > to deploying better crypto. > > This is factually untrue: CMVP certified modules are permitted to > implement other algorithms: they just can't be in FIPS mode when those > are used. I also don't see how NIST approval or lack thereof slowed > down RC4 deployment or accelerated SHA1 replacing MD5. > > The reality is lots of new designs are using Curve25519 and Ed25519. > That's because of factors like simple design of APIs, high > performance, and very good security. Standards body acceptance is not > a concern here. Just as the reality is that E-521 was picked by > Brazil, while the new GOST is still being worked on, and the upper > size limit is just a random number. But never mind reality: we've got > to expose "signs of strength". We need big numbers for marketing: > never mind attackers can't break authentication in the future, while > mobile devices already struggle to validate certificates. We need to > vote on endianness: nothing more needs to be said. > > Is anyone surprised we've become a punchline? > > Sincerely, > Watson Ladd > > > > > This is why we hope that, when this RG finally moves on both the the > curve and the signing algorithm, NIST adds those to its list of acceptable > crypto for the FIPS 140 testing. If they don't, people can still deploy it, > but deployment will be hampered. > > > > --Paul Hoffman > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > http://www.irtf.org/mailman/listinfo/cfrg US NIST chose P521 Brazil chose P521 Isn't that a pattern emerging?
- Re: [Cfrg] On "non-NIST" Peter Gutmann
- Re: [Cfrg] On "non-NIST" Paul Hoffman
- Re: [Cfrg] On "non-NIST" Phillip Hallam-Baker
- Re: [Cfrg] On "non-NIST" Watson Ladd
- Re: [Cfrg] On "non-NIST" Phillip Hallam-Baker
- Re: [Cfrg] On "non-NIST" Paul Hoffman
- Re: [Cfrg] On "non-NIST" Dan Harkins
- Re: [Cfrg] On "non-NIST" Watson Ladd
- Re: [Cfrg] On "non-NIST" Scott Fluhrer (sfluhrer)
- Re: [Cfrg] On "non-NIST" Paul Hoffman
- Re: [Cfrg] On "non-NIST" Johannes Merkle
- Re: [Cfrg] On "non-NIST" Watson Ladd
- [Cfrg] Submission of curve25519 to NIST from CFRG… Paul Lambert
- Re: [Cfrg] Submission of curve25519 to NIST from … Tony Arcieri
- Re: [Cfrg] Submission of curve25519 to NIST from … Watson Ladd
- Re: [Cfrg] Submission of curve25519 to NIST from … Paul Lambert
- Re: [Cfrg] Submission of curve25519 to NIST from … Paul Lambert
- Re: [Cfrg] Submission of curve25519 to NIST from … Watson Ladd
- Re: [Cfrg] Submission of curve25519 to NIST from … Paul Lambert
- Re: [Cfrg] Submission of curve25519 to NIST from … Phillip Hallam-Baker
- Re: [Cfrg] Submission of curve25519 to NIST from … Paul Hoffman
- Re: [Cfrg] Submission of curve25519 to NIST from … Eggert, Lars
- Re: [Cfrg] Submission of curve25519 to NIST from … Stephen Farrell
- Re: [Cfrg] Submission of curve25519 to NIST from … Michael Hamburg