IETF Logo Mail Archive

Re: [Cfrg] My comments on TLS requirements from today's interim

Yoav Nir <ynir.ietf@gmail.com> Tue, 01 July 2014 07:28 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EF801B27CA for <cfrg@ietfa.amsl.com>; Tue, 1 Jul 2014 00:28:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-ZJEhEcnVSd for <cfrg@ietfa.amsl.com>; Tue, 1 Jul 2014 00:28:27 -0700 (PDT)
Received: from mail-we0-x229.google.com (mail-we0-x229.google.com [IPv6:2a00:1450:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DEDF1A0190 for <cfrg@irtf.org>; Tue, 1 Jul 2014 00:28:27 -0700 (PDT)
Received: by mail-we0-f169.google.com with SMTP id t60so9265100wes.28 for <cfrg@irtf.org>; Tue, 01 Jul 2014 00:28:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yC3DQYxAxNvIEqNzSjpP2pxafi6voSqrS1M7X9C9Q24=; b=M8Fjqp49J3Cr4CrEfKFn/IYJQ7UBoL5AXzgDosspIw/Eqw2vRBfOMrNOP7vnv22niT QbVUPN5aT8ZpIMhY7NvzdThVgunO3shbsjjGDFh20Flm6ME9chLsDxN+xUvoajue1HmW a8xeLu8BaeJ8ogihtNoGkoexy10kpOaF2ZcPdcddFcVYAeSo7ikF7IH4z59Pu1+AXQ3x sRgbc0FbzCGnGzdjfGWA73/pr5RhqruBCu2Zc/p80asTGCDJpq6o4bDOTWyH3a0liaWP a/JYqnTt3AqhSyg8gMt+XmvA7BtkrH99xBworDHsw4UFOStphXl6MyRZbIOsEPjYdgB7 sIgg==
X-Received: by 10.180.79.201 with SMTP id l9mr34974592wix.60.1404199706028; Tue, 01 Jul 2014 00:28:26 -0700 (PDT)
Received: from [172.24.251.205] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id h13sm46360165wjs.2.2014.07.01.00.28.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 01 Jul 2014 00:28:25 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <53B25D54.5080003@brainhub.org>
Date: Tue, 01 Jul 2014 10:28:23 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <2A072243-90D9-4DD6-8815-F279254AF6D2@gmail.com>
References: <CABcZeBOMUw5fv--ar=r+5KL76UKz7NDU2M=aEYomjfMjSy+Fog@mail.gmail.com> <53B25D54.5080003@brainhub.org>
To: Andrey Jivsov <crypto@brainhub.org>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Nh_oyvvHHAy9lEhjZrM6pxdbT60
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] My comments on TLS requirements from today's interim
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jul 2014 07:28:29 -0000

On Jul 1, 2014, at 10:03 AM, Andrey Jivsov <crypto@brainhub.org> wrote:

> I have the same concern:
> 
> On 04/29/2014 12:50 PM, Eric Rescorla wrote:
>> 
>> - It would be nice if there was some chance that these curves could
>>   have some chance of being FIPS-approved, so they could potentially
>>   displace the NIST curves. It may be very difficult to get certainty here.
> 
> I see the following (the meeting minutes) http://www.ietf.org/mail-archive/web/cfrg/current/msg04505.html that don't answer this.
> 
> I also saw this post:
> On 06/26/2014 11:46 PM, Alyssa Rowan wrote:
> > CFRG have selected Curve25519 as the preferred elliptic curve for use
> > in IETF protocols, as Rich has pointed out.
> 
> 
> Let's assume that "the curve" at IETF is Curve25519. It doesn't appear to be an undisputed winner right now, but let's assume that it is universally accepted at every working group at IETF and is added to every IETF protocol soon.
> 
> 
> There is a significant US federal market with Suite B, FIPS, or at least SP 800 XXX that in some cases supports multiple product lines for a company. Beyond that, one credit that Suite B gets is that Suite B provided a clear and safe path for anybody who wanted to add ECC to their products. It assured interoperability on the Internet and coverage for the US government sector in a single standard. It made it much safer to create persistent data structures that should exist for decades. Not everybody liked it, especially outside of US, but P-256 was and still a method to bootstrap into ECC.
> 
> 
> I would like to hear your thoughts on the long-term view regarding standardization.
> 
> I will start with a few possibilities:
> 
> * Curve25519 becomes so pervasive that NIST adopts it. It replaces P-256 as a standard [Should reaching out to NIST be on the roadmap at some point before that expected acceptance?]
> 
> * Curve25519 exists parallel to P-256 (and P-256 becomes just a US national standard) [In this case products accept that Curve25519 + all the national standards is a typical product requirement]
> 
> * Curve25519 is viewed as a couple-of-years forward solution and so the questions of integration with other standards is out of scope for the Curve25519 decision [perhaps because the focus is on currently common Intel x86 CPUs, ARMs?]
> 
> <other possibilities, I am sure>…

Curve25519 becomes fairly widely implemented, and there are standards to define its use in TLS and IKE. Some browsers and a few VPN products implement it, as do a few server libraries such as OpenSSL. After a while, Curve25519 and P-256 exist in parallel, much like Camelia and AES, but because NIST is more prominent in users’ minds than the IETF, P-256 remains what people think is the “gold standard”, but some prefer Curve25519 for its performance.

Just another possibility…

Yoav

v2.23.0 | Report a Bug | By Email