Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
Watson Ladd <watsonbladd@gmail.com> Tue, 10 May 2016 15:42 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DDAD12B054; Tue, 10 May 2016 08:42:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nijo1-zlBmQJ; Tue, 10 May 2016 08:42:52 -0700 (PDT)
Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81A2D12D1F0; Tue, 10 May 2016 08:42:50 -0700 (PDT)
Received: by mail-vk0-x231.google.com with SMTP id m188so21264191vka.1; Tue, 10 May 2016 08:42:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=H6qQJggAr46NziOTIBtX8zAojufhxsOFn1VqMLyCnJM=; b=GMHYg0dylelRx3goD32Nuo3YeK/T4X+MWlxCrWSkr6ZD49cMMiXrbcW+aU4SM98UrD bJE3qqGFypWcrzbJzVgkFykcFltzAHlJTkSJS9ST3JPobS+w2pFhw4Y6X2A89illE9/Z 2L37thymf6aPTaP9ABPFzWxGqPQdo8v5NPlIRixmLyLujiqC7ltvB55WgKiYUR0T1HSE zKSUdSdjFZoL/J+UL93pXUmTv7fpOAS6Ppyrl/LdyUY5ZkWANy2PqhFEQyReWcAC3SHB PiJeZHkiJJ9OQuTBZNaa4WGE1DTHwHwv/JzCDcBH3pVG/wl86TN3vCTfh8fGdYKphDjq wPAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=H6qQJggAr46NziOTIBtX8zAojufhxsOFn1VqMLyCnJM=; b=Zt5br+96VoEjfhr77MXQhA9fhVYtkfBAt8Z812JGT8tXeWM52Wl3vBdDMt9WooSXbQ +3kqjKZTl+fhIE04bloOCm9NIq5P25Op0V2dN1nu1yaw16zoqFB7eYz96y6wpRiw0JXC HZm1IINFGR1IemxiXutFKH4uviSllBEuZSApcN6Q7yhtmwRebaruytK6uR1uyrKxwP9j D6jbMPUqmUvr0WZccnhGmFFbSDYcXoqpesMgNKJnCTfKmTBjIW1NsKYhg5FOYTPE9oYz MoQFdDXjlLRiKjxov4wSjr1xwZN5wKOl/MykTylpZQe7QoKJpINWgCKdn4b8kLYfyGt9 LZBA==
X-Gm-Message-State: AOPr4FVqiusGL9havIgdxdYEfdAo89axdSHUBgcu8hCIAxGBOZAWDiJ8fK3xWdsWmp5W+of7XAz64hwgguJa4A==
MIME-Version: 1.0
X-Received: by 10.31.188.73 with SMTP id m70mr10215068vkf.70.1462894969480; Tue, 10 May 2016 08:42:49 -0700 (PDT)
Received: by 10.176.64.68 with HTTP; Tue, 10 May 2016 08:42:49 -0700 (PDT)
In-Reply-To: <87r3datgrw.fsf@latte.josefsson.org>
References: <87bn543id1.fsf@alice.fifthhorseman.net> <87zisk94bg.fsf@latte.josefsson.org> <871t5wxfs4.fsf@alice.fifthhorseman.net> <87d1ozvfak.fsf@latte.josefsson.org> <20160506101733.GA2552@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnVDDoh1t-GA54b31X9GVGTyFHtjNjEhzMaGdCHkFNNO6g@mail.gmail.com> <87r3datgrw.fsf@latte.josefsson.org>
Date: Tue, 10 May 2016 08:42:49 -0700
Message-ID: <CACsn0cnxcn+V46enRwmFzFz5Y6wTzCwoZL+qR76SXpscieLmpw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Blnx1V5jTgK4NFzJAIpiPIu_dyI>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: draft-irtf-cfrg-eddsa.all@ietf.org, "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2016 15:42:55 -0000
On Tue, May 10, 2016 at 2:16 AM, Simon Josefsson <simon@josefsson.org> wrote: > Martin Thomson <martin.thomson@gmail.com> writes: > >> On 6 May 2016 at 20:17, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: >>> >>> So yeah, just use separate keys. Don't cause problems for everybody >>> by using contexts. >> >> As an author of a document that defines the use of contexts, how do >> you reconcile this view with what the document says? > > Hi Martin. > > The difference between personal opinion and group consensus decisions? > I'm just speculating what Ilari's reasons are though. > >> But I see those examples as illustrative of an insufficient degree of >> redundancy. For, if ever there were fans of redundancy, it would be >> the military. While conceivably you could build a protocol that >> defers all self-identification and context to the crypto that supports >> it, in the cases illustrated, it shows itself as unwise in the extreme >> in light of the propensity of people to do bad things. > > I suspect there is fundamental disagreement between fans of redundancy > and fans of lesser complexity. > > In my experience, redundancy (=complexity) in security systems have too > many time been used as a way to get through the system. Redundancy can > act as a slowdown factor and mitigator, but if your primitives are weak > then you are vulnerable no matter what. The academic optimistic view > appears to be that it should be possible to find strong primitives, and > to trust that they are strong. History shows that everything is broken > eventually, but history hasn't killed the optimism. Let's consider an actual protocol, TLS 1.3. TLS 1.3 cannot rely on the context mechanism of Ed25519ctx because it must work with RSA signatures as well. Introducing contexts won't actually make it more secure so long as it has to work with RSA. But introducing contexts will force everyone to complicate their implementation, which we know leads to bugs. > > My thoughts are that it is possible to achieve what the proponents of > redundancy (contexts) want and please the people who want the least > complexity, at the same time. Just define a low-level primitive like > Ed25519 as it is, and deal with higher-level aspects like > cross-protocol/domain mitigators at the protocol level, or at another > crypto primitive (ed25519ctx) which can be opt-in by the people who have > drunk that particular Kool-Aid. > > Thanks, > /Simon > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [Cfrg] draft-irtf-cfrg-eddsa -- one final proposa… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Paterson, Kenny
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Salz, Rich
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Salz, Rich
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Russ Housley
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… D. J. Bernstein
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Benjamin Kaduk
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… David Jacobson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Benjamin Kaduk
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Benjamin Kaduk
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Simon Josefsson
- [Cfrg] Side inputs to signature systems, take 2 D. J. Bernstein
- Re: [Cfrg] Side inputs to signature systems, take… Natanael
- Re: [Cfrg] Side inputs to signature systems, take… David Jacobson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] Side inputs to signature systems, take… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Simon Josefsson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Benjamin Kaduk
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Simon Josefsson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Bryan Ford
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Dang, Quynh (Fed)
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… D. J. Bernstein
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Bryan Ford
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Richard Outerbridge
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… D. J. Bernstein