Re: [IPsec] Working group last call for the draft-nir-ipsecme-eddsa-00
Daniel Migault <daniel.migault@ericsson.com> Sun, 12 March 2017 23:53 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D47F129413 for <ipsec@ietfa.amsl.com>; Sun, 12 Mar 2017 16:53:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7PA8tCDSKg4o for <ipsec@ietfa.amsl.com>; Sun, 12 Mar 2017 16:53:14 -0700 (PDT)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4761E129426 for <ipsec@ietf.org>; Sun, 12 Mar 2017 16:53:14 -0700 (PDT)
Received: by mail-io0-x22d.google.com with SMTP id l7so75109283ioe.3 for <ipsec@ietf.org>; Sun, 12 Mar 2017 16:53:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=PlnIu/RZNKCOc0SZaZES+kSxQ2+FAu8zb/MDZ0okd4Y=; b=aR+n/t4C916BnxQxBTaFNdL55vn87KDCDhv4Ws3a7sW29Tt3Ol6qWrZE+RKP8ioqZX VCh083GXW6BQYL+kABIzj+3AAuppDu8/KuUz5LLUikBY+IR/t0mKBDA0ZferozzcMV9W y6jFXAZSFlvDJGnXtKMjj8Zg/flFuvY2xUlo/H8L9Uu0flnez7xg2vK+adMQrowbUNzj BNPhPGoJinK5XMWHgv5uNbBchFJVB2Pgk02gsmT+04Vk4Ai9xN3/1ufpR9mPWswAPwzY g7bgbVxzlbj3yb/4u8e5FkOSoGWrWw7bS2KU7NaCV0huJ1hB0u+m9R88QnpQ2CIfIrQR UiUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=PlnIu/RZNKCOc0SZaZES+kSxQ2+FAu8zb/MDZ0okd4Y=; b=HsKvn1GpAYDiJO1yr14XBwo/85CjE/dk0+HpSHs5wzc2YwwwsmWyiStvxIhYN4d5HS F99TKcEvUjRu/W8b80LcuOzoKy31B6B6SifSLYHmMPqdgeUoCSrsXymm8ak67FbRHimR e4FZ3LHUwGmcX8U7DQRFBKYDkxm9d1ZFSMS3/EGsRxLrjH5E77hY7u1UmyVS+yuqWWft 1LPSWDelVj1yY1JrzTTkr35sgzQ3Xf6arRnuc4m8cHqr6m3CD70+jHdYQNE+hvrNQa5X YBw/q7sPm5Q2Tsc4LMj7CDPNMNbwjpZfqnnZH77RkFeaXX94xgvXgpR2yAK4QCY3mvr1 lu3w==
X-Gm-Message-State: AMke39l6WsrRAnebRLPqbs3UmaLQ8HYuf/LqrmuxOK6Obeb752iQk54ARGDymj2EvcCLJjNcBjS8zr9cZZgRNA==
X-Received: by 10.107.168.21 with SMTP id r21mr23636643ioe.45.1489362793604; Sun, 12 Mar 2017 16:53:13 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.35.213 with HTTP; Sun, 12 Mar 2017 16:53:13 -0700 (PDT)
In-Reply-To: <1454D9C7-7E51-49AE-B0FC-26EDBA73552C@gmail.com>
References: <22683.8182.349840.103676@fireball.acr.fi> <D28C9CC6-FD00-4A42-8451-F9B0AA83E4BF@apple.com> <22684.25414.470545.969594@fireball.acr.fi> <32d17f6f-3b55-a275-9fe5-960833899780@strongswan.org> <22692.28549.958589.705943@fireball.acr.fi> <CADZyTk=vG-grQvRWnnUVOdO2p5KGMpKONGkgax2pNjFey2TxAw@mail.gmail.com> <1454D9C7-7E51-49AE-B0FC-26EDBA73552C@gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Sun, 12 Mar 2017 19:53:13 -0400
X-Google-Sender-Auth: hMaagIzsjjDIVkow__6SyOL2_U4
Message-ID: <CADZyTk=AABLoxrBfQsUHQ5=YxGqxEZnt2TCLnPZjNV1BGiCvtw@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a114215e8412ef5054a914c95"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/m2_MW0NkT1Qpqg10Zo9IE4MS-Fk>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, David Schinazi <dschinazi@apple.com>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] Working group last call for the draft-nir-ipsecme-eddsa-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 23:53:16 -0000
Hi,
This looks good to me.
Here is the text to justify the downref ;-)
The Downref is justified by RFC3967 as it falls into the following case:
o A standards track document may need to refer to a protocol or
algorithm developed by an external body but modified, adapted, or
profiled by an IETF informational RFC.
Yours,
Daniel
On Sun, Mar 12, 2017 at 2:14 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> Hi, Daniel.
>
> See my comments inline.
>
> Also see this pull request: https://github.com/ietf-
> ipsecme/drafts/pull/25
>
> Unless I hear some push-back, I will submit this right before the deadline.
>
> Yoav
>
> On 8 Mar 2017, at 20:49, Daniel Migault <daniel.migault@ericsson.com>
> wrote:
>
> Hi,
>
> Please find my comments regarding the draft. I believe the draft is ready
> to be moved forward. I do not have strong opinion on the value to assign.
>
> Yours,
>
> Daniel
>
> The Internet Key Exchange protocol [RFC7296] can use arbitrary
> signature algorithms as described in [RFC7427]. The latter RFC
> defines the SIGNATURE_HASH_ALGORITHMS notification where each side of
> the IKE negotiation lists its supported hash algorithms. This
> assumes that all signature schemes involve a hashing phase followed
> by a signature phase. This made sense because most signature
> algorithms either cannot sign messages bigger than their key or
> truncate messages bigger than their key.
>
> EdDSA ([I.D-eddsa]) defines signature methods that do not require
> pre-hashing of the message. Unlike other methods, these accept
> arbitrary-sized messages, so no pre-hashing is required. These
> methods are called Ed25519 and Ed448, which respectively use the
> Edwards 25519 and the Edwards 448 ("Goldilocks") curves. Although
> that document also defines pre-hashed versions of these algorithm,
> those versions are not recommended for protocols where the entire to-
> be-signed message is available at once.
>
> MGLT: I think that a pointer for the recommendation should be provided -
> section 10.5 of I.D-eddsa.
>
>
> Added. Except that now it’s in section 8.5 of RFC 8032.
>
> The first sentence of the paragraph above confuses me. Although this si
> true, I prefer to say that EdDSA ([I.D-eddsa]) defines signatures methods
> that includes pre-hasing as well as signature methods that do not require
> prehashing.
>
>
> Yes, but the first paragraph is all about the assumption that all
> signature methods have a pre-hash stage. The new thing about EdDSA is that
> it introduces a method that does not have a pre-hash stage. The fact that
> we are not even specifying the use of EdDSA with pre-hash is all the more
> reason to push the mention of this to the end of the paragraph.
>
> How about:
>
> EdDSA ([RFC8032]) defines signature methods that do not require pre-
> hashing of the message. Unlike other methods, these accept
> arbitrary-sized messages, so no pre-hashing is required. These
> methods are called Ed25519 and Ed448, which respectively use the
> Edwards 25519 and the Edwards 448 ("Goldilocks") curves. Although
> that document also defines pre-hashed versions of these algorithm,
> those versions are not recommended for protocols where the entire to-
> be-signed message is available at once. See section 8.5 or RFC 8032
> for that recommendation.
>
>
> EdDSA defines the binary format of the signatures that should be used
> in the "Signature Value" field of the Authentication Data Format in
> section 3. The CURDLE PKIX document ([I.D-curdle-pkix]) defines the
> object identifiers (OIDs) for these signature methods. For
> convenience, these OIDs are repeated in Appendix A.
>
> MGLT: Note that the pkix document is still on discussion. -- Although IOD
> seems out of the scope of the discussion.
>
>
> Since I’m referencing an I-D normatively, they become a cluster. If Curdle
> decides to allocate other OIDs we’ll fix this specification as well.
>
> Not that any of us expect that to happen.
>
> Yoav
>
> BTW: RFC 8032 is Informational, while this document and RFC4492bis and the
> Curdle I-D are standards track. So I guess the shepherd’s write-up should
> reflect that RFC 8032 should be added to the downref registry.
>
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
- [IPsec] Working group last call for the draft-nir… Tero Kivinen
- Re: [IPsec] Working group last call for the draft… David Schinazi
- Re: [IPsec] Working group last call for the draft… Tero Kivinen
- Re: [IPsec] Working group last call for the draft… Tommy Pauly
- Re: [IPsec] Working group last call for the draft… Paul Wouters
- Re: [IPsec] Working group last call for the draft… David Schinazi
- Re: [IPsec] Working group last call for the draft… Andreas Steffen
- Re: [IPsec] Working group last call for the draft… Tero Kivinen
- Re: [IPsec] Working group last call for the draft… Daniel Migault
- Re: [IPsec] Working group last call for the draft… Yoav Nir
- Re: [IPsec] Working group last call for the draft… David Schinazi
- Re: [IPsec] Working group last call for the draft… Yoav Nir
- Re: [IPsec] Working group last call for the draft… Daniel Migault