Re: [Cfrg] On process (was Re: Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd))

Watson Ladd <watsonbladd@gmail.com> Tue, 24 February 2015 22:34 UTC

MIME-Version: 1.0
In-Reply-To: <1D4098FF-2097-46B7-AE1F-32D38B8B0B46@isode.com>
References: <CACsn0cmZqoPd6CPV7RZE-ozBn1oDgK51212Sv5YXczqNHsA3eg@mail.gmail.com> <1D4098FF-2097-46B7-AE1F-32D38B8B0B46@isode.com>
Date: Tue, 24 Feb 2015 14:34:01 -0800
Message-ID: <CACsn0cn-8t8xO4XmvMv5XkghvczcOBsex_WE7tJaN2eEpLwPLw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Content-Type: multipart/alternative; boundary="001a1135547e918e4c050fdd1d30"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/JsV8peovRyJe1qFxtdITY5WbIEA>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] On process (was Re: Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd))
Precedence: list

On Feb 24, 2015 1:06 PM, "Alexey Melnikov" <alexey.melnikov@isode.com>
wrote:
>
> On 23/02/2015 06:46, Watson Ladd wrote:
>>
>> On Sat, Feb 21, 2015 at 5:40 AM, Paterson, Kenny
>> <Kenny.Paterson@rhul.ac.uk> wrote:
>>>
>>> Hi Alyssa,
>>>
>>> On 20/02/2015 20:15, "Alyssa Rowan" <akr@akr.io> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>>
>>>>> [TA] Have you considered doing a poll of what specific curves
>>>>> people actually want to use?
>>>>>
>>>>> [PHB] [Š] your poll [Š] rather undercuts the whole process.
>>>>
>>>> Strongly agreed.
>>>>
>>>>> [KP] Yes, we considered a number of different ways of narrowing
>>>>> down our choices. However, we settled on doing it this way. Please
>>>>> stick with us.
>>>>
>>>> With the greatest respect, if upstream and external parties were
>>>> willing to tolerate undocumented decisions by editor/chair fiat,
>>>> they'd stick with the NIST curves, wouldn't they?
>>>
>>> I think you have to give the chairs some room to make decisions in order
>>> to help move things forward. We've been rightly criticised for not doing
>>> that in recent months, and now we are trying to do better. So cut us
some
>>> slack, please.
>>>
>>> Yes, we could have first run a "meta poll" to ask the group what kinds
of
>>> questions they wanted to be asked, or what the topics of the questions
>>> should be, but I think that would only have led to dismayed comments
from
>>> other participants saying we were not providing enough direction or
>>> leadership (but Alexey and I are by now well aware that chairs cannot
>>> please all of the people any of the time, and some of the time we do not
>>> please anyone; for us, it goes with the territory).
>>
>> Chairs could avoid making promises about the process they don't end up
>> keeping. I would say that's the single biggest reason chairs got
>> criticised.
>
> I think the only promise that we made (timeline promises notwithstanding)
is that we do a series of polls to narrow down choices of curves and other
issues that are needed to finish EC recommendations (signature scheme,
coordinate system, Endianness of what goes on the wire, etc.)
>>>>
>>>> We were asked because publicly-documented technical consensus, not
>>>> guided by any one party, is very highly desirable.
>>>
>>> But then what to do if there is no consensus? This appeared to be the
case
>>> on the specific question of whether we should stick to "traditional
powers
>>> of 2" security levels or not.
>>
>> But we're already using voting to decide other issues on which there
>> was no consensus: why is the Goldilocks issue so special?
>>
>> You could have had long discussions about which point formats to use,
>> and decided to use one. You could have done the same for signatures.
>
> And have you read my message asking to stay on topic and which topics are
coming next? If you did, you would have known that these questions are
coming.

I did read that email. I'm not objecting to that aspect, just the exclusion
of a single proposal.  It's moot as chairs seem to have backed down from
this exclusion.

The process, or what little there was, has evolved from picking proposals
to full blown design by committe.

>
>> But the only aspect that's being formally decided upon by the chairs
>> is security levels: why? And not even security levels, just a decision
>> to exclude three candidate curves.
>>
>> I could understand making the entire decision. I could understand
>> voting in various forms. But I don't understand why this particular
>> decision is being made by chairs, and not others.
>
> Chairs pick questions in order to help CFRG move forward on the EC topic.
We are not perfect and for that I apologise. Suggestions for better
questions are welcome, but please do it without starting a flame war (hint:
either ask privately or ask nicely on the mailing list).

There's a difference between asking poll questions and making decisions.
I'm not objecting to either, just doing one and calling it the other, and
then hiding the fact that you did so.

As for poll questions how about "rank primes in your preference order".
People answered it anyway.

For ECDH we have six possible choices based on model and compression, plus
some more oddball proposals. I'd recommend asking everyone to rank them
all, and find something broadly acceptable.

For signatures we've got ECDSA, Franken-ECDSA, and EdSA. I would ask for a
full rank instead. I don't think we need to consider public key format
separately here.

As for endianess I would recommend sticking with existing implementations
and not conducting a poll.

This avoids issues where some votes condition others in weird ways.

Sincerely,
Watson Ladd

[Cfrg] On process (was Re: Elliptic Curves - poll… Watson Ladd
Re: [Cfrg] On process (was Re: Elliptic Curves - … Alexey Melnikov
Re: [Cfrg] On process (was Re: Elliptic Curves - … Watson Ladd
Re: [Cfrg] On process (was Re: Elliptic Curves - … Alexey Melnikov