Re: [Cfrg] Curve manipulation, revisited

"Salz, Rich" <rsalz@akamai.com> Mon, 29 December 2014 21:16 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01CE61ACD04 for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 13:16:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wmF5uImpxmWH for <cfrg@ietfa.amsl.com>; Mon, 29 Dec 2014 13:16:01 -0800 (PST)
Received: from prod-mail-xrelay02.akamai.com (prod-mail-xrelay02.akamai.com [72.246.2.14]) by ietfa.amsl.com (Postfix) with ESMTP id 71BA71ACCE0 for <cfrg@irtf.org>; Mon, 29 Dec 2014 13:16:01 -0800 (PST)
Received: from prod-mail-xrelay02.akamai.com (localhost [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 717B228521; Mon, 29 Dec 2014 21:16:00 +0000 (GMT)
Received: from prod-mail-relay07.akamai.com (prod-mail-relay07.akamai.com [172.17.121.112]) by prod-mail-xrelay02.akamai.com (Postfix) with ESMTP id 5C94B28520; Mon, 29 Dec 2014 21:16:00 +0000 (GMT)
Received: from email.msg.corp.akamai.com (usma1ex-casadmn.msg.corp.akamai.com [172.27.123.33]) by prod-mail-relay07.akamai.com (Postfix) with ESMTP id 1D25C8003C; Mon, 29 Dec 2014 21:16:00 +0000 (GMT)
Received: from usma1ex-cashub7.kendall.corp.akamai.com (172.27.105.23) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.913.22; Mon, 29 Dec 2014 16:15:59 -0500
Received: from USMBX1.msg.corp.akamai.com ([169.254.1.15]) by usma1ex-cashub7.kendall.corp.akamai.com ([172.27.105.23]) with mapi; Mon, 29 Dec 2014 16:15:58 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Rob Stradling <rob.stradling@comodo.com>, Yoav Nir <ynir.ietf@gmail.com>
Date: Mon, 29 Dec 2014 16:15:58 -0500
Thread-Topic: [Cfrg] Curve manipulation, revisited
Thread-Index: AdAjrBCozgIoHdTKRq6xWReMBtcrkgAACqiA
Message-ID: <2A0EFB9C05D0164E98F19BB0AF3708C71D55236F3D@USMBX1.msg.corp.akamai.com>
References: <CAMfhd9W684XMmXn3ueDmwrsQ_ZdiFG+VqYLxkvs7qDwiJdpk6w@mail.gmail.com><1725646678.805875.1419539885135.JavaMail.yahoo@jws100115.mail.ne1.yahoo.com><CAMfhd9Ua5fFZk46Xx1AN2VgyJ=Yng6fnO8aN-_ZfzXQn0Xbxhg@mail.gmail.com><CA+Vbu7zqFcu8d1053mZ_eEm0q=np6T3snSQ4rfY0k1-4hBVDsA@mail.gmail.com><2A0EFB9C05D0164E98F19BB0AF3708C71D55236DA1@USMBX1.msg.corp.akamai.com><68DF78C2-9F4D-457C-A32E-88A58E74A371@gmail.com><2A0EFB9C05D0164E98F19BB0AF3708C71D55236ECC@USMBX1.msg.corp.akamai.com><A7D3783D-0159-486E-8136-63E90E20AC0B@gmail.com><2A0EFB9C05D0164E98F19BB0AF3708C71D55236EE7@USMBX1.msg.corp.akamai.com><CA+Vbu7yaJNgi0JkhyBG6YEoKy+r5BFm_HwjL94sgHHOM7i3zOw@mail.gmail.com><2A0EFB9C05D0164E98F19BB0AF3708C71D55236F10@USMBX1.msg.corp.akamai.com> <A09FEC84-6EF1-4886-9D88-E737A0895738@gmail.com> <54A1C390.1010803@comodo.com>
In-Reply-To: <54A1C390.1010803@comodo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/FpEr_75Tx-tTbgtQVVU0KC6h7K8
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Curve manipulation, revisited
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 21:16:03 -0000

> Some TLS server software (notably Apache httpd) can already use several
> certs for the same hostname, where each cert has a different public key
> algorithm (RSA, DSA, ECC).  This means that certs with P-256 and P-384 public
> keys can be used where there is browser support, with fallback to certs with
> RSA public keys for the long tail of non-ECC-capable browsers.

Any server that uses OpenSSL can do this, provided they make the calls to register the keypairs.  (And only the NIST curves are currently supported.)  So that probably includes, nginx, Node.js, anything built on Ruby or Python, etc.  Some minor code work (config and making an additional API call) could be required, but that's pretty easy. 

--  
Principal Security Engineer, Akamai Technologies
IM: rsalz@jabber.me Twitter: RichSalz