IETF Logo Mail Archive

Re: [IPsec] Working group last call for the draft-nir-ipsecme-eddsa-00

Yoav Nir <ynir.ietf@gmail.com> Sun, 12 March 2017 18:14 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72900129477 for <ipsec@ietfa.amsl.com>; Sun, 12 Mar 2017 11:14:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yP2Lvn5WMQpb for <ipsec@ietfa.amsl.com>; Sun, 12 Mar 2017 11:14:45 -0700 (PDT)
Received: from mail-wr0-x241.google.com (mail-wr0-x241.google.com [IPv6:2a00:1450:400c:c0c::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4351112945C for <ipsec@ietf.org>; Sun, 12 Mar 2017 11:14:45 -0700 (PDT)
Received: by mail-wr0-x241.google.com with SMTP id u108so17569968wrb.2 for <ipsec@ietf.org>; Sun, 12 Mar 2017 11:14:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=XIplgms4R+7drzDvHCMzHp4HsbfYATzaVOFLgXmlRFM=; b=Qen1egKzoxEcKajNVuDp1oKItp1+Hef3fejzdm6NPL35z9Cj71NPtq61lgZwLLkA+n rT+ZCjyaXg/Eez/KU03mpVJfPws/c22RwGQBPnbV1f5Wq+8nfvPJ26KPle8H4O/9dPIf tTyxUcAKJtdS8ucseoZLOJKYpDXCZrguj1RA1inRJovELZUCw0B5q4/KJXaZeo9Ad2km ZQVmF1EL7EFJSbtwNtl+RH5VnxmWqxATjnO9s3+pqt+qUTK5fHgWFNhb/D85izgwXDA5 qCmsHnQOeVP20uonDHV1RwomYsIhDKe05Wxs0IM365hNy2XGiQkinQbQ/AAqyS4i3yHT f9FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=XIplgms4R+7drzDvHCMzHp4HsbfYATzaVOFLgXmlRFM=; b=pH7duEWU9vWU8t39pBVa10eH+YCFUVZCF2tLFRS/5a4kGqsqKUDNQHWaadCur1yY11 VDoyPaePRxMp1+TbmVQs64YwqLR+SvQnoKx8dUZKiHIUQ/zHtQO1Ulf4SmJQEq5S1Fgk sEiEXGLrkVH+/A0OBrgL1SZ/Q4rambQuJ6owptEn5sZqS2sGVvrko2nNc6XY4a2P2h3z qCWUpr02bif8nYOjxVx/5wLItxrFGLjgEYL025C8182Uik23J/LPUJQhyjH2wbQyttwP qHVLvh2FQVUo7yxRQJBcXd5APNQ232XBsFOdQHQ6AjpJQvjkYBt6ZEsI9rHw8yjVwydn mTIg==
X-Gm-Message-State: AMke39lp2Ztqwiut+B0y8iriMyu/tj5OxEy1R+yfTWt3OSMPt9xNqpaBNxKH1wfDs5en+Q==
X-Received: by 10.223.178.205 with SMTP id g71mr23475786wrd.158.1489342483748; Sun, 12 Mar 2017 11:14:43 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id t103sm21989480wrc.43.2017.03.12.11.14.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 12 Mar 2017 11:14:42 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <1454D9C7-7E51-49AE-B0FC-26EDBA73552C@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_0F0D60A1-B089-4D75-BD75-F99585908854"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Sun, 12 Mar 2017 20:14:40 +0200
In-Reply-To: <CADZyTk=vG-grQvRWnnUVOdO2p5KGMpKONGkgax2pNjFey2TxAw@mail.gmail.com>
To: Daniel Migault <daniel.migault@ericsson.com>
References: <22683.8182.349840.103676@fireball.acr.fi> <D28C9CC6-FD00-4A42-8451-F9B0AA83E4BF@apple.com> <22684.25414.470545.969594@fireball.acr.fi> <32d17f6f-3b55-a275-9fe5-960833899780@strongswan.org> <22692.28549.958589.705943@fireball.acr.fi> <CADZyTk=vG-grQvRWnnUVOdO2p5KGMpKONGkgax2pNjFey2TxAw@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/JnEIYLrx4JDZK5miyH1gjBV4_mE>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, David Schinazi <dschinazi@apple.com>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] Working group last call for the draft-nir-ipsecme-eddsa-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 18:14:47 -0000

Hi, Daniel.

See my comments inline.

Also see this pull request:  https://github.com/ietf-ipsecme/drafts/pull/25 <https://github.com/ietf-ipsecme/drafts/pull/25>

Unless I hear some push-back, I will submit this right before the deadline.

Yoav

> On 8 Mar 2017, at 20:49, Daniel Migault <daniel.migault@ericsson.com> wrote:
> 
> Hi,
> 
> Please find my comments regarding the draft. I believe the draft is ready to be moved forward. I do not have strong opinion on the value to assign.
> 
> Yours,
> 
> Daniel
> 
>    The Internet Key Exchange protocol [RFC7296] can use arbitrary
>    signature algorithms as described in [RFC7427].  The latter RFC
>    defines the SIGNATURE_HASH_ALGORITHMS notification where each side of
>    the IKE negotiation lists its supported hash algorithms.  This
>    assumes that all signature schemes involve a hashing phase followed
>    by a signature phase.  This made sense because most signature
>    algorithms either cannot sign messages bigger than their key or
>    truncate messages bigger than their key.
> 
>    EdDSA ([I.D-eddsa]) defines signature methods that do not require
>    pre-hashing of the message.  Unlike other methods, these accept
>    arbitrary-sized messages, so no pre-hashing is required.  These
>    methods are called Ed25519 and Ed448, which respectively use the
>    Edwards 25519 and the Edwards 448 ("Goldilocks") curves.  Although
>    that document also defines pre-hashed versions of these algorithm,
>    those versions are not recommended for protocols where the entire to-
>    be-signed message is available at once.
> 
> MGLT: I think that a pointer for the recommendation should be provided - section 10.5 of I.D-eddsa.

Added. Except that now it’s in section 8.5 of RFC 8032.

> The first sentence of the paragraph above confuses me. Although this si true, I prefer to say that  EdDSA ([I.D-eddsa]) defines signatures methods that includes pre-hasing as well as signature methods that do not require prehashing.

Yes, but the first paragraph is all about the assumption that all signature methods have a pre-hash stage. The new thing about EdDSA is that it introduces a method that does not have a pre-hash stage. The fact that we are not even specifying the use of EdDSA with pre-hash is all the more reason to push the mention of this to the end of the paragraph.

How about:

   EdDSA ([RFC8032]) defines signature methods that do not require pre-
   hashing of the message.  Unlike other methods, these accept
   arbitrary-sized messages, so no pre-hashing is required.  These
   methods are called Ed25519 and Ed448, which respectively use the
   Edwards 25519 and the Edwards 448 ("Goldilocks") curves.  Although
   that document also defines pre-hashed versions of these algorithm,
   those versions are not recommended for protocols where the entire to-
   be-signed message is available at once.  See section 8.5 or RFC 8032
   for that recommendation.

> 
>    EdDSA defines the binary format of the signatures that should be used
>    in the "Signature Value" field of the Authentication Data Format in
>    section 3.  The CURDLE PKIX document ([I.D-curdle-pkix]) defines the
>    object identifiers (OIDs) for these signature methods.  For
>    convenience, these OIDs are repeated in Appendix A.
> 
> MGLT: Note that the pkix document is still on discussion. -- Although IOD seems out of the scope of the discussion.

Since I’m referencing an I-D normatively, they become a cluster. If Curdle decides to allocate other OIDs we’ll fix this specification as well.

Not that any of us expect that to happen.

Yoav

BTW: RFC 8032 is Informational, while this document and RFC4492bis and the Curdle I-D are standards track. So I guess the shepherd’s write-up should reflect that RFC 8032 should be added to the downref registry.

v2.23.0 | Report a Bug | By Email