Re: [Cfrg] [TLS] Unwarrented change to point formats

Eric Rescorla <ekr@rtfm.com> Sun, 27 July 2014 20:27 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D34171A0262 for <cfrg@ietfa.amsl.com>; Sun, 27 Jul 2014 13:27:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0Dk855_c04n for <cfrg@ietfa.amsl.com>; Sun, 27 Jul 2014 13:27:14 -0700 (PDT)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 608161A01DC for <cfrg@irtf.org>; Sun, 27 Jul 2014 13:27:14 -0700 (PDT)
Received: by mail-wi0-f177.google.com with SMTP id ho1so3402496wib.10 for <cfrg@irtf.org>; Sun, 27 Jul 2014 13:27:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=XlmZlu4kgD9eyimWgxiaXBVB4SY1ryNqv/kVESNtMis=; b=eilUi6UiE455fpKCr/XhwfRLmD6tl3ZqckA/W5jqeQhA5qPr+V3dwm5V6z0pBH39GI WtQLze1q47Oy/ixJM/oPMXmOCD2i7f1m83aj9esEzIj48yKSU1oANaajYU+gDs09J4nk ABYBLkTwzihK2pKdMR9SaLSaj1PEu27Zreeze0rXJ1e9TK+Zdl9klirSxsNbOZZ1flBw QaBiF3Hj1BXvPOlD+05FmPKIxCpg/N7DZ1J+Hn/XcIBt0y+DV6QT+PRcbsZMovjCPjAv oy//31It1J/kuKdOl5Pb0YJABEZHRf1XM+zxHhLcW/RQA/3aT7Bk4yK/3BSPgVcCDP6M honQ==
X-Gm-Message-State: ALoCoQkvYwncL+1a+5xhJIoRiFhnuFK5G+w+6/QZADDIlZOacCwHClkIcSxyG6uzNtaDkbi66aDM
X-Received: by 10.180.86.225 with SMTP id s1mr23773693wiz.36.1406492832417; Sun, 27 Jul 2014 13:27:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.217.128.12 with HTTP; Sun, 27 Jul 2014 13:26:32 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <ACA887E2-DFE3-41A3-9A75-BAA72843169A@rhul.ac.uk>
References: <CACsn0cnf64Lj0om9hzvfZymo1KRG6FOiicfcDw3ysfGwaAby3g@mail.gmail.com> <ACA887E2-DFE3-41A3-9A75-BAA72843169A@rhul.ac.uk>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 27 Jul 2014 13:26:32 -0700
Message-ID: <CABcZeBMUTZM1y+oxTAjemw=LSWTycJNDdKPUou+H+ML3LHWPqw@mail.gmail.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: multipart/alternative; boundary="f46d04428610a7e8ae04ff32a141"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/HX5Weduyg4_wuOm2Z_eEDGi0E0Q
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] [TLS] Unwarrented change to point formats
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jul 2014 20:27:16 -0000

On Sun, Jul 27, 2014 at 11:25 AM, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk
> wrote:

> Watson,
>
> There was certainly support for Curve25519 at the CFRG interim phone
> conference, from my reading of the transcript.
>
> I don't think the reasons for the TLS WG to ask for our input are
> nebulous, as you put it. I'd say they were taking a responsible approach,
> charging us as experts to explore the alternatives carefully and make
> recommendations. This choice will affect the future security of TLS for
> years - or decades - to come. So we have to get it right.
>

This reflects my understanding as well.



> That request to us does not mean anyone is ignoring existing drafts, as
> you write. I am also not aware of this IETF-wide requirement that you
> mention. I believe it's a "nice to have", but not a hard requirement.


Speaking only for myself, I don't think there's anything particularly
mysterious here. The TLS WG is not chartered to do this kind of analysis
so we've turned to the CFRG. It would clearly be most efficient if the IETF
had a common set of cryptographic primitives where possible. It's true
that TLS was the first WG to try to write down a specific request, but it
seems likely that our needs are mostly common with other protocols.

To take a specific set of cases. TLS has three major uses for public key
crypto of this type:

- Key establishment
- Digital signatures over handshake messages (ServerKeyExchange,
  CertificateVerify, etc.)
- Digital signatures over certificates.

It seems likely that key establishment shares common requirements for
multiple protocols. Similarly, it would be quite convenient if the
signatures
used in TLS were the same as those used for the certificates used for TLS,
even though the latter are not defined in TLS. So, when I say an IETF-wide
set of recommendations that's the kind of thing I mean.

I wasn't aware that any of this was particularly controversial.

-Ekr