Re: [CFRG] guidance on using an Ed25519 keypair for x25519
Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 21 June 2022 01:17 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AD2BC15D4A0 for <cfrg@ietfa.amsl.com>; Mon, 20 Jun 2022 18:17:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.785
X-Spam-Level:
X-Spam-Status: No, score=-3.785 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.876, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BdIYf-Jlxy_u for <cfrg@ietfa.amsl.com>; Mon, 20 Jun 2022 18:17:54 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56216C14F73E for <cfrg@irtf.org>; Mon, 20 Jun 2022 18:17:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 9B80A62569; Mon, 20 Jun 2022 21:17:06 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 6aCj9qiDOzsM; Mon, 20 Jun 2022 21:17:01 -0400 (EDT)
Received: from [192.168.68.67] (113.sub-174-211-35.myvzw.com [174.211.35.113]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 5A53B6250B; Mon, 20 Jun 2022 21:15:32 -0400 (EDT)
Message-ID: <662b705e-186c-56eb-2a02-cc702d2cb5cc@htt-consult.com>
Date: Mon, 20 Jun 2022 21:15:53 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: Manu Sporny <msporny@digitalbazaar.com>, cfrg@irtf.org
References: <c767d783-67b7-e43e-b438-96c1e361ea64@htt-consult.com> <37419b07-7a22-34c1-d596-643ae5d20d4e@digitalbazaar.com>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
In-Reply-To: <37419b07-7a22-34c1-d596-643ae5d20d4e@digitalbazaar.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/U6p9a--EESBrT16BP1WvCnJ8b-U>
Subject: Re: [CFRG] guidance on using an Ed25519 keypair for x25519
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2022 01:17:58 -0000
This is for my DRIP work. The basis is Ed25519 signing: https://datatracker.ietf.org/doc/draft-ietf-drip-rid/ https://datatracker.ietf.org/doc/draft-ietf-drip-auth/ But now the next step gets into secure communications. https://datatracker.ietf.org/doc/draft-moskowitz-drip-secure-nrid-c2/ Use 'standard' secure comm: DTLS, IPsec, and HIP, so Ed25519 works but DTLS and IKE need a boost to get the full Identity in the setup. However https://datatracker.ietf.org/doc/draft-moskowitz-drip-operator-privacy/ https://datatracker.ietf.org/doc/draft-moskowitz-drip-crowd-sourced-rid/ Get into using ECIES. A bit different domain of traffic, but it is advantageous to use the same keypair as the base identity. Also the ECIES is static-static so that adds to the challenge, needing a nonce at least. Bob On 6/20/22 19:44, Manu Sporny wrote: > On 6/20/22 6:44 PM, Robert Moskowitz wrote: >> This seems to pop up in places, and I found: >> >> https://eprint.iacr.org/2021/509 >> >> Is this covered in any IETF RFC? I am coming up empty; my search foo is >> weak.... > We point to that document in the 'did:key' Decentralized Identifier Method > specification: > > https://w3c-ccg.github.io/did-method-key/#derive-encryption-key-algorithm > > At least one place it's being used, AFAICT, is the OSCORE work: > > https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm > > Specifically, in Section 2.4: Pairwise Keys. > > https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm#section-2.4 > > You can find references to that document throughout the OSCORE specification. > > Hope that helps. > > On a related note, we've been told by security researchers that NIST is > unlikely to view such an operation as safe to use with US government systems, > even if the Thormarker proof is found to be valid, given the general policy > against key reuse at NIST. Has anyone else on here heard the same sort of > thing from NIST? > > -- manu >
- [CFRG] guidance on using an Ed25519 keypair for x… Robert Moskowitz
- Re: [CFRG] guidance on using an Ed25519 keypair f… Robert Moskowitz
- Re: [CFRG] guidance on using an Ed25519 keypair f… Manu Sporny
- Re: [CFRG] guidance on using an Ed25519 keypair f… Robert Moskowitz
- Re: [CFRG] guidance on using an Ed25519 keypair f… Göran Selander
- Re: [CFRG] guidance on using an Ed25519 keypair f… Robert Moskowitz
- Re: [CFRG] guidance on using an Ed25519 keypair f… Salz, Rich