IETF Logo Mail Archive

Re: [IPsec] Working group last call for the draft-nir-ipsecme-eddsa-00

David Schinazi <dschinazi@apple.com> Sun, 12 March 2017 23:21 UTC

Return-Path: <dschinazi@apple.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF46612949F for <ipsec@ietfa.amsl.com>; Sun, 12 Mar 2017 16:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kFQQ8D40PifR for <ipsec@ietfa.amsl.com>; Sun, 12 Mar 2017 16:21:35 -0700 (PDT)
Received: from mail-in7.apple.com (mail-out7.apple.com [17.151.62.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0D3D12949B for <ipsec@ietf.org>; Sun, 12 Mar 2017 16:21:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1489360894; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Z946xoZ0QDjfuscaJUhxfdoNLHPoiSXMvmGZ/BBkgxE=; b=K4cbUi57xdBzhx7txvWaVCqS3uKnJSFexLaBRIDFI+2fdxDEgB8o9vVbkWSCBI6j zc2emSpfUf+Wl9kb15qJDMtktsfj3FJGKqFWTYyeMK4iul2HQsylLOjFHjfC16MN I96b5xRirP5jgeQ5NItg+YntCoDuTrOpS7iqsd0NuFLq0NJYegcRBRYZTLFGDBkW w0yq7tLLzzAxQrvR//6lrX+FzYtgv9cYjvIpSGm3CnkAQswIJ8t+KsP43zeF74Ws NVzR6dlJE9F6jGfo15x5hAcrn9jfBvCUNSAlsTSEfKry0n+eh4tuusllD0Gz08hV 9jg3fCg/P8dEkKKtUsM8oQ==;
Received: from relay8.apple.com (relay8.apple.com [17.128.113.102]) by mail-in7.apple.com (Apple Secure Mail Relay) with SMTP id 5B.BC.20305.BF7D5C85; Sun, 12 Mar 2017 16:21:34 -0700 (PDT)
X-AuditID: 11973e16-935ff70000004f51-bc-58c5d7fb64e1
Received: from kencur (kencur.apple.com [17.151.62.38]) by relay8.apple.com (Apple SCV relay) with SMTP id E9.A6.07296.AF7D5C85; Sun, 12 Mar 2017 16:21:31 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_vOajKaWsgz6lzGlbo779gQ)"
Received: from [17.153.45.50] (unknown [17.153.45.50]) by kencur.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0OMQ00J8O67TE580@kencur.apple.com>; Sun, 12 Mar 2017 16:21:30 -0700 (PDT)
Sender: dschinazi@apple.com
From: David Schinazi <dschinazi@apple.com>
Message-id: <01846746-E380-4179-B8D6-8972AE6C20ED@apple.com>
Date: Sun, 12 Mar 2017 16:21:28 -0700
In-reply-to: <1454D9C7-7E51-49AE-B0FC-26EDBA73552C@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
References: <22683.8182.349840.103676@fireball.acr.fi> <D28C9CC6-FD00-4A42-8451-F9B0AA83E4BF@apple.com> <22684.25414.470545.969594@fireball.acr.fi> <32d17f6f-3b55-a275-9fe5-960833899780@strongswan.org> <22692.28549.958589.705943@fireball.acr.fi> <CADZyTk=vG-grQvRWnnUVOdO2p5KGMpKONGkgax2pNjFey2TxAw@mail.gmail.com> <1454D9C7-7E51-49AE-B0FC-26EDBA73552C@gmail.com>
X-Mailer: Apple Mail (2.3251)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrOLMWRmVeSWpSXmKPExsUi2FCYpvvv+tEIg/8fBSymTN/DZrF/yws2 i6Pnn7NZLD32gcmBxePX16tsHjtn3WX3WLLkJ5PH4a8LWQJYorhsUlJzMstSi/TtErgynm9q Zim4uIix4vj0JpYGxjfdjF2MnBwSAiYSHRt+MHcxcnEICexjlHj35CRTFyMHWOLkAiOI+ApG iW9dz5lBGngFBCV+TL7HAmIzC4RJTFl+gBGiqJFJ4v7xp0wgCWEBaYmuC3dZQQaxCWhJHFhj BNFrI9G8cB4jRIm/xOVlO8FsFgFVifMrjoDZnAK2Eu/f32WDmF8i0XSnB2yviICSxOErX6EO /c4ksfh0J9QHshKfnv9khzj6MZvEb8UJjEKzkJw6C8mps4CqmAXUJaZMyYUIa0s8eXeBFcJW k1j4exETsvgCRrZVjEK5iZk5upl55nqJBQU5qXrJ+bmbGEExM91ObAfjw1VWhxgFOBiVeHg3 zDoaIcSaWFZcmXuIUZqDRUmcd/GUwxFCAumJJanZqakFqUXxRaU5qcWHGJk4OKUaGCfMTMgp zuTzDtn2T31zaPrG+72fop1mOdU8t3m+69vbaOPOgL0zZ3twnzv0L6U/bVfGjwl/WBZKTnU9 06S22XDrlastizKXlO5wX+O9uaX6895Vi3zsBP1d2lUnC8zVi9LufnWv+lz/rds/t70T9Ixs 65/c95FfueDV/t0f+4tc5tSdvBk9XVaJpTgj0VCLuag4EQBZAU+iegIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrMIsWRmVeSWpSXmKPExsUiON1OTff39aMRBrd3cFtMmb6HzWL/lhds FkfPP2ezWHrsA5MDi8evr1fZPHbOusvusWTJTyaPw18XsgSwRHHZpKTmZJalFunbJXBlPN/U zFJwcRFjxfHpTSwNjG+6GbsYOTgkBEwkTi4w6mLk4hASWMEo8a3rOXMXIycHr4CgxI/J91hA bGaBMIkpyw8wQhQ1MkncP/6UCSQhLCAt0XXhLivIIDYBLYkDa4wgem0kmhfOY4Qo8Ze4vGwn mM0ioCpxfsURMJtTwFbi/fu7bBDzSySa7vSA7RURUJI4fOUrM8Su70wSi093gjVICMhKfHr+ k30CI/8sJPfNQnLfLKAzmAXUJaZMyYUIa0s8eXeBFcJWk1j4exETsvgCRrZVjAJFqTmJlRZ6 iQUFOal6yfm5mxhBYd5QmLaDsWm51SFGAQ5GJR7eDbOORgixJpYVV+YeYpTgYFYS4W28BhTi TUmsrEotyo8vKs1JLT7EOJER6MuJzFKiyfnAKMwriTc0MTEwMTY2MzY2NzGnpbCSOK/OrMMR QgLpiSWp2ampBalFMEcxcXBKNTC6fis8L8jWsHVm+/sJPSwhqv9nHun7dn7mvj/v/Z4mTPh9 8LS9hZ2qjYP1090+ovUX9nj92pLYe4/L53jjlPCy5PNXTKv/z39d9+GmffCJy3+yytnzu732 na6UY0gQdl45V2HhusxSkZdqnjInb5s2sFz7uvN2yErJNq+QHVKbbQuev3f5E9GixFKckWio xVxUnAgAVQkMwuYCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/-8jTNo6d4Gyly8623ls35FRAXyI>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Daniel Migault <daniel.migault@ericsson.com>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] Working group last call for the draft-nir-ipsecme-eddsa-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 23:21:37 -0000

Yoav,

The diff looks good to me.

Based on the discussion in this thread, it looks like there is consensus
to not use 0 as the value for Identity.
Would it make sense to reflect that in the document?
The "IANA Considerations" section currently states:

IANA is requested to assign a new value from the "IKEv2 Hash
Algorithms" registry with name "Identity" and this document as
reference.  Since the value zero was reserved by RFC 7427 and this
"Identity" hash is no hash at all, assigning the value zero to
Identity seems appropriate.

Could we replace this with:

IANA is requested to assign a new value from the "IKEv2 Hash
Algorithms" registry with name "Identity" and this document as
reference. Since several current implementation already use
the value zero with a different meaning, assigning the next
available value (currently 5) seems appropriate.

Thanks,
David


> On Mar 12, 2017, at 11:14, Yoav Nir <ynir.ietf@gmail.com> wrote:
> 
> Hi, Daniel.
> 
> See my comments inline.
> 
> Also see this pull request:  https://github.com/ietf-ipsecme/drafts/pull/25 <https://github.com/ietf-ipsecme/drafts/pull/25>
> 
> Unless I hear some push-back, I will submit this right before the deadline.
> 
> Yoav
> 
>> On 8 Mar 2017, at 20:49, Daniel Migault <daniel.migault@ericsson.com <mailto:daniel.migault@ericsson.com>> wrote:
>> 
>> Hi, 
>> 
>> Please find my comments regarding the draft. I believe the draft is ready to be moved forward. I do not have strong opinion on the value to assign. 
>> 
>> Yours, 
>> 
>> Daniel
>> 
>>    The Internet Key Exchange protocol [RFC7296] can use arbitrary
>>    signature algorithms as described in [RFC7427].  The latter RFC
>>    defines the SIGNATURE_HASH_ALGORITHMS notification where each side of
>>    the IKE negotiation lists its supported hash algorithms.  This
>>    assumes that all signature schemes involve a hashing phase followed
>>    by a signature phase.  This made sense because most signature
>>    algorithms either cannot sign messages bigger than their key or
>>    truncate messages bigger than their key.   
>>    
>>    EdDSA ([I.D-eddsa]) defines signature methods that do not require
>>    pre-hashing of the message.  Unlike other methods, these accept
>>    arbitrary-sized messages, so no pre-hashing is required.  These
>>    methods are called Ed25519 and Ed448, which respectively use the
>>    Edwards 25519 and the Edwards 448 ("Goldilocks") curves.  Although
>>    that document also defines pre-hashed versions of these algorithm,
>>    those versions are not recommended for protocols where the entire to-
>>    be-signed message is available at once.
>> 
>> MGLT: I think that a pointer for the recommendation should be provided - section 10.5 of I.D-eddsa. 
> 
> Added. Except that now it’s in section 8.5 of RFC 8032.
> 
>> The first sentence of the paragraph above confuses me. Although this si true, I prefer to say that  EdDSA ([I.D-eddsa]) defines signatures methods that includes pre-hasing as well as signature methods that do not require prehashing. 
> 
> Yes, but the first paragraph is all about the assumption that all signature methods have a pre-hash stage. The new thing about EdDSA is that it introduces a method that does not have a pre-hash stage. The fact that we are not even specifying the use of EdDSA with pre-hash is all the more reason to push the mention of this to the end of the paragraph.
> 
> How about:
> 
>    EdDSA ([RFC8032]) defines signature methods that do not require pre-
>    hashing of the message.  Unlike other methods, these accept
>    arbitrary-sized messages, so no pre-hashing is required.  These
>    methods are called Ed25519 and Ed448, which respectively use the
>    Edwards 25519 and the Edwards 448 ("Goldilocks") curves.  Although
>    that document also defines pre-hashed versions of these algorithm,
>    those versions are not recommended for protocols where the entire to-
>    be-signed message is available at once.  See section 8.5 or RFC 8032
>    for that recommendation.
> 
>>    
>>    EdDSA defines the binary format of the signatures that should be used
>>    in the "Signature Value" field of the Authentication Data Format in
>>    section 3.  The CURDLE PKIX document ([I.D-curdle-pkix]) defines the
>>    object identifiers (OIDs) for these signature methods.  For
>>    convenience, these OIDs are repeated in Appendix A.
>> 
>> MGLT: Note that the pkix document is still on discussion. -- Although IOD seems out of the scope of the discussion. 
> 
> Since I’m referencing an I-D normatively, they become a cluster. If Curdle decides to allocate other OIDs we’ll fix this specification as well. 
> 
> Not that any of us expect that to happen.
> 
> Yoav
> 
> BTW: RFC 8032 is Informational, while this document and RFC4492bis and the Curdle I-D are standards track. So I guess the shepherd’s write-up should reflect that RFC 8032 should be added to the downref registry.
> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org <mailto:IPsec@ietf.org>
> https://www.ietf.org/mailman/listinfo/ipsec <https://www.ietf.org/mailman/listinfo/ipsec>

v2.23.0 | Report a Bug | By Email