Re: [Cfrg] On why point and APIs formats matter (Re: Submission of curve25519 to NIST from CFRG -> was RE: On "non-NIST")

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Tue, Mar 10, 2015 at 07:20:31PM -0700, Watson Ladd wrote:

> > Your concerns about endianness are a trivial in comparison to the
> >
> > overall industry change to new public key algorithms.  Please have some
> > focus
> >
> > and do not add noise to the topic.
> 
> No, they aren't: they are actually much more important than the
> question of which curve to use.

Though I still retain enough graduate school mathematics to understand
the fundamentals of EC crypto, I am not a mathematician or cryptographer.
Rather, these days I am an implementor of applications that employ
crypto, most notably Postfix where I maintain the SMTP TLS feature-set,
and I have plans to contribute DANE support to one or more TLS libraries.

So with my implementor hat on (the only hat that fits here), I'd
like very much to second Watson's remarks.

In the DANE space with 24 different combinations of the TLSA (usage,
selector, mtype) parameters not only do essentially all the other
implementations I've tried to read offer incomplete support for
some corner cases, they are also insecure for a subset of the
parameters!  On top of that, users get confused and publish
incorrect records.

Yes, the analogy is rather imperfect, but I believe that the key
observations Watson makes are relevant.

(In)security will depend a lot more on how easy it is to implement
the design incorrectly than on how easy it will be to perform a
cryptanalytic attack.  The curves considered here are sufficiently
strong to make implementation considerations be a key differentiator.

So if we can agree that 25519 with a fixed length little-endian
octet-string encoding (not variable length big-endian int) is more
robust in the hands of mortal implementors, that should be given
due consideration.

-- 
	Viktor.