Re: [Dcrup] I do not like the dcrup ECC document

Brandon Long <blong@google.com> Mon, 10 July 2017 23:08 UTC

Return-Path: <blong@google.com>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB049131946 for <dcrup@ietfa.amsl.com>; Mon, 10 Jul 2017 16:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cVfX-d7rwKA0 for <dcrup@ietfa.amsl.com>; Mon, 10 Jul 2017 16:08:25 -0700 (PDT)
Received: from mail-ua0-x236.google.com (mail-ua0-x236.google.com [IPv6:2607:f8b0:400c:c08::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A72413193D for <dcrup@ietf.org>; Mon, 10 Jul 2017 16:08:25 -0700 (PDT)
Received: by mail-ua0-x236.google.com with SMTP id z22so64011325uah.1 for <dcrup@ietf.org>; Mon, 10 Jul 2017 16:08:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4vEpSuU+Pre8bFPvkrbgBa8shlSJHAV5TQ19ibiuFkQ=; b=BUGnaN7/svNQ4ynnK3x0iyaQwmYq2NPGACA6Yo3CqTQLn+ZYXRSMCcatYFsEntY07O gv+asOBZ3szwzsZW3u/FeAl9TzPzJc0+v4gUe4h9g4avurLA3Bzvwzkmss2+9y7KSjS6 hWlMq3pnUny9DQKTBGOPqzbLfeq8qxjs1urF23Vt5REvzCyc2j6Pl+A8VYnEd/kDIlLM TAQ6Or1Stbs9E3rhJFOb2XgCHcI1Y2EZCTD8Q+UBdW003kVHQzXAY3vzC771xsc/Q8FA 4+Ze35aPA3lQF+g7XzZJydwlsLZqW0CQ2K4kvbBHQeh7O3r+oxnfEe/5xhGNtNQA7dbb YXPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4vEpSuU+Pre8bFPvkrbgBa8shlSJHAV5TQ19ibiuFkQ=; b=Uyl3zYeFh/sx/hKUoJgzvmAbKgf3sgW33wBu3iH40Opnt7vkVzSLNg/ilFd6UhzyAP jv1xLGOME/xrqHLZvzJpj/rc782zT7P1utTZ51k3ENjj2P3ES53o/W0di0/mcj7cM82v oGvaxTXRRwH9ptq4T37FV9OyWfDQuJrTckPCsq7Gi7GROuCqq/26Oo+c8b0koIdeD+Xy o14JxybOLm33z/wMoTNrfv6uIrYRRm65gA8/BL2cjnHN1A9juvVsBhNGhHyUpYpMjj0I v9DBkTnbTddtYpgvnPsnRb0a97FvXVSaZJISnxbNQiKBZLffRHHNwn58iPcGROeAXbjP X9ag==
X-Gm-Message-State: AIVw113S0s6sBKmUsoWiVgqgFJXB5/egwNEupt2g9lQJBzCgZcAs9d0x 7TwvLkxiA99nS1Wz36TaoEtyLvwLhTyy
X-Received: by 10.176.27.141 with SMTP id k13mr10415078uai.93.1499728104118; Mon, 10 Jul 2017 16:08:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.140.1 with HTTP; Mon, 10 Jul 2017 16:08:23 -0700 (PDT)
In-Reply-To: <CAL0qLwZnmWVzVTNyK7F7paotoG8NmM=0yOOZiqtTP4t-5aQrsg@mail.gmail.com>
References: <20170709203414.90415.qmail@ary.lan> <3A2ECF01-E8A0-4E11-9E3F-6A67C5198ACC@vigilsec.com> <alpine.OSX.2.21.1707091702130.6209@ary.qy> <CAL0qLwZnmWVzVTNyK7F7paotoG8NmM=0yOOZiqtTP4t-5aQrsg@mail.gmail.com>
From: Brandon Long <blong@google.com>
Date: Mon, 10 Jul 2017 16:08:23 -0700
Message-ID: <CABa8R6vVSg0H2ArWj8Y9NVyyKFgdvGD+61rfHdtkaXyeq3CWqQ@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: John R Levine <johnl@taugh.com>, dcrup@ietf.org, Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="94eb2c13be6ee850af0553fea81a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/gCizg_XvJsdYdw4HbJvwdjvUiBc>
Subject: Re: [Dcrup] I do not like the dcrup ECC document
X-BeenThere: dcrup@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DKIM Crypto Update <dcrup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dcrup>, <mailto:dcrup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup/>
List-Post: <mailto:dcrup@ietf.org>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dcrup>, <mailto:dcrup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 23:08:27 -0000

On Sun, Jul 9, 2017 at 11:50 PM, Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Sun, Jul 9, 2017 at 2:14 PM, John R Levine <johnl@taugh.com> wrote:
>
>> RFC 6376 describes in great detail in section 3.7 how to create the
>> material to be signed.  What it ends up with is a sha-256 hash, but that's
>> not the signing algorithm's problem.  I say PureEdDSA to emphasize that it
>> doesn't get hashed again.
>>
>> As it stands now, the RSA and EdDSA signing algorithms sign the same
>> thing.  I suppose I could extensively rewrite the signing instructions so
>> that stuff to be signed by RSA is hashed while stuff to be signed by EdDSA
>> is not because it'll use HashEdDSA, but that seems a lot of work and a lot
>> of code changes for no benefit.
>>
>
> +1, unless there is such benefit and someone could describe it (or point
> us to a reference that does so).
>

Is there any cryptographic reason why doing this is worse?

Brandon