Re: [Cfrg] [TLS] Unwarrented change to point formats

Watson Ladd <watsonbladd@gmail.com> Sun, 27 July 2014 22:33 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FAB11A03FE for <cfrg@ietfa.amsl.com>; Sun, 27 Jul 2014 15:33:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WEkfHO3Cw5GA for <cfrg@ietfa.amsl.com>; Sun, 27 Jul 2014 15:33:16 -0700 (PDT)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E4271A0451 for <cfrg@irtf.org>; Sun, 27 Jul 2014 15:33:15 -0700 (PDT)
Received: by mail-yh0-f49.google.com with SMTP id b6so4337700yha.8 for <cfrg@irtf.org>; Sun, 27 Jul 2014 15:33:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vBh6iBeDgFgUBCPjQsRswp8fBVq0yJ+ou2ogJYpgINA=; b=kr3vVx4WYsYA4vZGxz+DMsK/4bvwfzeago5Vu6/iD4Skg/XdfHa8a1QDb8p6L2hyzd 8pLJ3UtZ1b2krHy90FWUBBxO+ehzZK6I4KIl1VU7ox2RVp+1Kymwc4yDiogfhguem/yS tmAlGN/Ufhcq9aC9e3bTDqKcrej4Fx4oxrx0Xf9J4RweErR9sPfckCfHCpw8bH+81wM4 W8B+U16QWNRgxAM2Wi/3GG8DAHNKU4LPhS930rlgtA0Dq1IRvaU0Ahp+qKVbzkvNeOLX S5XU2SV1T8G2ejQ3D0Gm1g6sgDFZ4xeOEyBKX+6EUxV7mGgSHFceXXc72hC5XS601/M7 JyBQ==
MIME-Version: 1.0
X-Received: by 10.236.51.228 with SMTP id b64mr46073920yhc.93.1406500394726; Sun, 27 Jul 2014 15:33:14 -0700 (PDT)
Received: by 10.170.202.8 with HTTP; Sun, 27 Jul 2014 15:33:14 -0700 (PDT)
In-Reply-To: <CABcZeBNKj2B2-sHAXegXYYEAqYN2GjwAVJL7LSUW6kQY-njoNw@mail.gmail.com>
References: <CACsn0cnf64Lj0om9hzvfZymo1KRG6FOiicfcDw3ysfGwaAby3g@mail.gmail.com> <ACA887E2-DFE3-41A3-9A75-BAA72843169A@rhul.ac.uk> <CABcZeBMUTZM1y+oxTAjemw=LSWTycJNDdKPUou+H+ML3LHWPqw@mail.gmail.com> <CACsn0cnMcSp1G0j6_1ZGr9nZB8ncOyiUkJQS+dCkjeGByZUh6A@mail.gmail.com> <CABcZeBNKj2B2-sHAXegXYYEAqYN2GjwAVJL7LSUW6kQY-njoNw@mail.gmail.com>
Date: Sun, 27 Jul 2014 15:33:14 -0700
Message-ID: <CACsn0cmoXxPj4iKYuKrvtPXJ8nRxG8rQaOY5WzJRiFA9rdj0pw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/i1tuU9QxsWkUVNLZBAqXGrV5Hv4
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] [TLS] Unwarrented change to point formats
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jul 2014 22:33:17 -0000

On Sun, Jul 27, 2014 at 2:37 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> On Sun, Jul 27, 2014 at 1:39 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
>>
>> On Sun, Jul 27, 2014 at 1:26 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>>
>> > To take a specific set of cases. TLS has three major uses for public key
>> > crypto of this type:
>> >
>> > - Key establishment
>> > - Digital signatures over handshake messages (ServerKeyExchange,
>> >   CertificateVerify, etc.)
>> > - Digital signatures over certificates.
>> >
>> > It seems likely that key establishment shares common requirements for
>> > multiple protocols. Similarly, it would be quite convenient if the
>> > signatures
>> > used in TLS were the same as those used for the certificates used for
>> > TLS,
>> > even though the latter are not defined in TLS. So, when I say an
>> > IETF-wide
>> > set of recommendations that's the kind of thing I mean.
>> >
>> > I wasn't aware that any of this was particularly controversial.
>>
>> You had a draft in hand, got a reply that "yeah, looks good", and then
>> went back to ask for
>> a completely different design process, for reasons never discussed.
>> It's the second round
>> that's confusing me.
>
>
> This does not match my understanding of the history.
>
> Rather, here's my memory:
>
> 1. We asked the CFRG for a recommendation.
>
> 2. The CFRG held an interim discussion where a lot of good things
> were said about Curve25519 but the CFRG never made a recommendation
> to the TLS WG, but instead said it would come back and make
> a recommendation.
>
> 3. The TLS Chairs sent the CFRG chairs a written request to make
> such a recommendation (my memory is that they actually asked us
> to write something down, but I don't immediately see it in my mail.)
>
> Which brings us to the current process being run in CFRG.

And that's exactly the problem: instead of asking "is this proposed
curve secure" or "are the arguments in favor of
Curve25519 largely correct" you want CFRG to evaluate things it really
can't. How do we know if uptake in TLS will
be slowed by being non-Weierstrass?  How do we evaluate if
implementors want to implement Montgomery and
twisted Edwards arithmetic vs. just one?

I don't see why this couldn't have ended in March with "well, no
security concerns were identified, so Curve25519
will be in TLS".

Sincerely,
Watson Ladd

>
> -Ekr
>
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin