Re: [Cfrg] big-endian short-Weierstrass please

[Phillip Hallam-Baker <phill@hallambaker.com>]

On Thu, Jan 29, 2015 at 4:28 PM, Blumenthal, Uri - 0558 - MITLL <
uri@ll.mit.edu> wrote:

> That seems irrelevant. Some people will never be convinced of some things
>> that most other people agree to.
>>
>
> What is being argued against here is making room for DIY curves.
>
> My point is that the only way to come up with an informed decision to use
> someone else's curves is to apply a vast amount of domain specific
> expertise plus really trust the supplier to not have something up their
> sleeves.
>
>
> Unless that “somebody else” is your boss, or somebody you have informed
> reasons to trust.
>
> Some people (and organizations *:*) tend to trust “their” experts, and
> not trust “other” experts as much. As an example – why didn’t NSA adopt
> Russian GOST, and why didn’t Russians adopt AES? Probably not because they
> question the competence of the other side? :-)
>

And such people are more than welcome to make use of the existing extension
features in TLS 1.x.

If you think you have the ability to do this for yourselfs then do it.


However I should point out that for TLS 2 I think a very different approach
should be taken.

* Exactly one preferred (MUST) and one backup algorithm (SHOULD) defined in
the protocol with an algorithm numbering scheme that allows only 255 values
for each. The objective being to keep algorithm changes to once a decade.
This would require us to rev the TLS major version at least once every
other millennia.

* All other crypto to be identified by ASN.1 OID on a 'its your funeral'
basis.


The rationale for this is that the IETF currently has three types of
algorithm.

1) Those that we have vetted and trust.
2) Those that we have assigned numbers to
3) Those that we have not

The problem in my view is that people seem to think that algorithms of type
2 are somehow different than type 3 and this is really not the case. We do
not have the bandwidth to validate vanity crypto and algorithms like GOST
are mandated by governments who murder their citizens on the streets of
London with polonium laced teapots. So I really don't feel like giving any
accreditation to such folk.

So lets just have two types of crypto algorithm: Those we are really
confident of and those we make no comment on.



> There should be a set of “universally” accepted curves, so that when you
> want to talk to a complete stranger – both of you would use what the
> “community” considers cryptographically OK (which belongs to that small
> commonly shared set). But that’s only half of use cases.
>

No, actually that is 100% of the uses for the Internet. All other cases are
'network' security and that is not our problem.

One of the problems with IP everywhere is that we have ended up in a
situation where it is assumed that we have a duty to solve every type of
networking problem.

I think providing security advice to people who don't want to follow our
security advice is the first thing to stop trying to do.