Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519

Simon Josefsson <simon@josefsson.org> Tue, 10 May 2016 09:16 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43C1112D0C0; Tue, 10 May 2016 02:16:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ix6L_K6xoJzH; Tue, 10 May 2016 02:16:09 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1428612D09B; Tue, 10 May 2016 02:16:08 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.2]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id u4A9G4oC004471 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 10 May 2016 11:16:05 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Martin Thomson <martin.thomson@gmail.com>
References: <87bn543id1.fsf@alice.fifthhorseman.net> <87zisk94bg.fsf@latte.josefsson.org> <871t5wxfs4.fsf@alice.fifthhorseman.net> <87d1ozvfak.fsf@latte.josefsson.org> <20160506101733.GA2552@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnVDDoh1t-GA54b31X9GVGTyFHtjNjEhzMaGdCHkFNNO6g@mail.gmail.com>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:160510:draft-irtf-cfrg-eddsa.all@ietf.org::R73Rj/dVJiwkqV7S:0lim
X-Hashcash: 1:22:160510:cfrg@ietf.org::ekslVFhChWvGCFXA:18rz
X-Hashcash: 1:22:160510:ilariliusvaara@welho.com::DM+awV5yPDcEGWNx:HFK3
X-Hashcash: 1:22:160510:martin.thomson@gmail.com::wyEfJEmM0bKxMkvf:PBvn
Date: Tue, 10 May 2016 11:16:03 +0200
In-Reply-To: <CABkgnnVDDoh1t-GA54b31X9GVGTyFHtjNjEhzMaGdCHkFNNO6g@mail.gmail.com> (Martin Thomson's message of "Mon, 9 May 2016 10:23:31 +1000")
Message-ID: <87r3datgrw.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.99 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/DNOGG3gkJCO44S4xMPx4g7dJCWQ>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: draft-irtf-cfrg-eddsa.all@ietf.org, cfrg@ietf.org
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2016 09:16:11 -0000

Martin Thomson <martin.thomson@gmail.com> writes:

> On 6 May 2016 at 20:17, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
>>
>> So yeah, just use separate keys. Don't cause problems for everybody
>> by using contexts.
>
> As an author of a document that defines the use of contexts, how do
> you reconcile this view with what the document says?

Hi Martin.

The difference between personal opinion and group consensus decisions?
I'm just speculating what Ilari's reasons are though.

> But I see those examples as illustrative of an insufficient degree of
> redundancy.  For, if ever there were fans of redundancy, it would be
> the military.  While conceivably you could build a protocol that
> defers all self-identification and context to the crypto that supports
> it, in the cases illustrated, it shows itself as unwise in the extreme
> in light of the propensity of people to do bad things.

I suspect there is fundamental disagreement between fans of redundancy
and fans of lesser complexity.

In my experience, redundancy (=complexity) in security systems have too
many time been used as a way to get through the system.  Redundancy can
act as a slowdown factor and mitigator, but if your primitives are weak
then you are vulnerable no matter what.  The academic optimistic view
appears to be that it should be possible to find strong primitives, and
to trust that they are strong.  History shows that everything is broken
eventually, but history hasn't killed the optimism.

My thoughts are that it is possible to achieve what the proponents of
redundancy (contexts) want and please the people who want the least
complexity, at the same time.  Just define a low-level primitive like
Ed25519 as it is, and deal with higher-level aspects like
cross-protocol/domain mitigators at the protocol level, or at another
crypto primitive (ed25519ctx) which can be opt-in by the people who have
drunk that particular Kool-Aid.

Thanks,
/Simon