Re: [Cfrg] ECC reboot
Rob Stradling <rob.stradling@comodo.com> Thu, 23 October 2014 10:44 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F4331A89AE for <cfrg@ietfa.amsl.com>; Thu, 23 Oct 2014 03:44:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.41
X-Spam-Level: *
X-Spam-Status: No, score=1.41 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TTqnfIGDdpEc for <cfrg@ietfa.amsl.com>; Thu, 23 Oct 2014 03:44:01 -0700 (PDT)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5F291A8ABC for <cfrg@irtf.org>; Thu, 23 Oct 2014 03:43:52 -0700 (PDT)
Received: (qmail 29959 invoked by uid 1000); 23 Oct 2014 10:43:47 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Thu, 23 Oct 2014 11:43:47 +0100
Message-ID: <5448DBE2.10107@comodo.com>
Date: Thu, 23 Oct 2014 11:43:46 +0100
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Alyssa Rowan <akr@akr.io>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <D065A817.30406%kenny.paterson@rhul.ac.uk><54400E9F.5020905@akr.io><CAMm+LwhVKBfcfrXUKmVXKsiAMRSTV+ws+u07grmxkfnR2oYJoQ@mail.gmail.com><5218FD35-E00A-413F-ACCB-AA9B99DEF48B@shiftleft.org><m3r3y6z3z8.fsf@carbon.jhcloos.org><CA+Vbu7x4Y_=JZ9Ydp=U5QnJokL28QMQnV4XUn9S6+CUZR9ozEw@mail.gmail.com><5444D89F.5080407@comodo.com> <90C609A5-ECB2-4FDC-9669-5830F3463D2B@akr.io>
In-Reply-To: <90C609A5-ECB2-4FDC-9669-5830F3463D2B@akr.io>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/RdR9kWlwPvr8_cYnCNJztAz0fJA
Subject: Re: [Cfrg] ECC reboot
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 10:44:05 -0000
On 20/10/14 14:05, Alyssa Rowan wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 20 October 2014 10:40:47 BST, Rob Stradling <rob.stradling@comodo.com> wrote: > >> When we generated our ECC root CA keys in 2008, secp384r1 seemed like the best choice. secp521r1 wasn't in Suite B, and it seemed likely that Suite B compliance would be a requirement for some of our customers. > > Why not secp256r1? (I'm guessing the big reason was because the TS profile required ≈WF192 and you wanted one root to be suitable for both profiles if you could?) That was certainly part of the reason. The other part was that a competitor had already chosen secp384r1, so it seemed safest to follow suit. :-) > It's a bit early to say, but (open question to all) if we picked one curve at ≈WF128, would you in principle be comfortable with having roots of that strength? In principle, yes, but... > What about if we picked two: one fast secure curve at 128 and one at some higher "paranoid" grade (be it 384, 448, 480, 512, 521, 607...)? Which would you perhaps consider using when? Would you have one root at each level, or a shared root at the paranoid level? I'm inclined to agree with my colleague PHB, who wrote recently: "The Web PKI will almost certainly be based exclusively on the ~512 level curve. The roots certainly will." The various browser root programs place limits on the total number of roots per CA. So whilst a ≈WF128 root could be useful, I think there's a very good chance that we won't have the option to embed both ≈WF128 and ≈WF<paranoid> roots. > What kinds of things would you need to be able to have such a root? I'm guessing, bringing it back home to the weekly topic, that 'high-assurance' crypto hardware of some form would be highly desirable for that. But what does that mean to *you*? Yes, we would need at least one HSM that can generate keys and signatures on the new curves. The speed of the implementation won't matter much. If the new curves are to be used with ECDSA (unlikely?) then I think it might even be possible to persuade existing HSMs to do the job. PKCS#11 supports ANSI x9.62 "EC domain parameters" as well as named curves, for example. > I say this because I don't think the initial target market for these new curves necessarily includes those mandated to use Suite B (although never say never!), I don't think government approval will drive adoption this time, and also the assurances people ask of Web PKI CAs in particular seem to be strengthening considerably relative to where they were (cf: Certificate Transparency, et al). Agreed. >> TLS clients commonly don't specify RSA/SHA-512 and ECDSA/SHA-512 in the TLS signature_algorithms extension. Some servers respond by refusing to serve certs with SHA-512 signatures. > > Thanks for that note. The TLS WG and user-agent participants should probably bear this in mind, down the line, if whatever we come up with is to be accepted and used. > > - -- > /akr > -----BEGIN PGP SIGNATURE----- > Version: APG v1.1.1 > > iQI3BAEBCgAhBQJURQiIGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE > jtkWi2t6lFAP/04NXnjKWHI34cZ2OYIs+qCP4q35hKFvbtAX+7MECPmlF+4lrpbS > /Hzu8bjjsLVphsTWbXo8bW7sXCLWzHGkcL4QuvZM56ArngvP17EK3tZIgkFiOjKY > D+hlGskjcAgXDhRvyaEvimuUHQ9BVWmGft0XPnMSucBckq634Bbw3VSdzhq+0yAV > 5awXzKeTkrI9sYrwSXZ/P9TN/ejVjfI0t3KU+RxdMPWTY8psbmXsuaMT8ny4EkOi > PhskwFNb5rndfRBEq/rnenhXAgTnUJVf51vBhU8YOKZLy2NojcZ2Wjy5YOQuDepQ > GE3phWRqxCA4hnhbnNHcguxnlh5B6y5OzEYd/9/Iaia/brj7H3eYvc84RnG1H9Fl > VTkBrAZUUmtcmdnTlNnEBQQ/pmSlGWZsIhLYPueXD43yAggMvP8YffURKADFfm6J > Om5BmI2JVWjFpDjQA7e9NKL6niTJUccqUkHNjm54wEwIuh0zcKJCBzZ4P4cUU+vk > T5BDy3AoVLFT9uVOXV/vXkTA3xcOtlLaUgnTa3CzRR9IuoIewPncK1MurP6I37jA > XzcupAFmTgiDcITjKAm2xzaVzJwWByBbtuvaMBKRFbA1UK++y9/YWnhalwsEmNYf > lo5LnvTuJa/SvmPcpLHqtqeTIIV3rWVdn5GVbZOx5jxao5KK19b/7kMF > =tB0e > -----END PGP SIGNATURE----- > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Paterson, Kenny
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Johannes Merkle
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Paterson, Kenny
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Ilari Liusvaara
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Alyssa Rowan
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Andy Lutomirski
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Ilari Liusvaara
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Alyssa Rowan
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Johannes Merkle
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Alyssa Rowan
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Ilari Liusvaara
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Johannes Merkle
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Hallof, Andreas
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Manuel Pégourié-Gonnard
- Re: [Cfrg] ECC reboot (Was: When's the decision?) David Leon Gil
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Hallof, Andreas
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Watson Ladd
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Michael Hamburg
- Re: [Cfrg] ECC reboot (Was: When's the decision?) David Leon Gil
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Phillip Hallam-Baker
- Re: [Cfrg] Hardware requirements, Brainpool (was:… Alyssa Rowan
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Michael Hamburg
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Stephen Farrell
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Watson Ladd
- Re: [Cfrg] ECC reboot James Cloos
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Phillip Hallam-Baker
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Benjamin Black
- Re: [Cfrg] ECC reboot Benjamin Black
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Michael Hamburg
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Watson Ladd
- Re: [Cfrg] ECC reboot Rob Stradling
- Re: [Cfrg] ECC reboot Alyssa Rowan
- [Cfrg] W3C WebCrypto WG Liasioning [was Re: ECC r… Harry Halpin
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Lochter, Manfred
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Ilari Liusvaara
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Lochter, Manfred
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Tanja Lange
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Alyssa Rowan
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Lochter, Manfred
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Alyssa Rowan
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Johannes Merkle
- Re: [Cfrg] ECC reboot Rob Stradling
- Re: [Cfrg] ECC reboot (Was: When's the decision?) Ilari Liusvaara
- Re: [Cfrg] ECC reboot Watson Ladd
- Re: [Cfrg] ECC reboot Phillip Hallam-Baker
- Re: [Cfrg] ECC reboot Phillip Hallam-Baker
- Re: [Cfrg] ECC reboot Alyssa Rowan
- Re: [Cfrg] ECC reboot Andy Lutomirski
- Re: [Cfrg] ECC reboot Phillip Hallam-Baker
- Re: [Cfrg] ECC reboot Andy Lutomirski
- Re: [Cfrg] ECC reboot Ilari Liusvaara
- Re: [Cfrg] ECC reboot Michael Hamburg
- Re: [Cfrg] ECC reboot Rob Stradling
- Re: [Cfrg] ECC reboot Phillip Hallam-Baker
- Re: [Cfrg] ECC reboot Andy Lutomirski
- Re: [Cfrg] ECC reboot Watson Ladd
- Re: [Cfrg] ECC reboot Samuel Neves
- Re: [Cfrg] ECC reboot Michael Hamburg
- Re: [Cfrg] ECC reboot Michael Hamburg
- Re: [Cfrg] ECC reboot Ilari Liusvaara