Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange

Stephen Kent <> Mon, 07 January 2013 15:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2565421F8782 for <>; Mon, 7 Jan 2013 07:52:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NXBdkOgN5ary for <>; Mon, 7 Jan 2013 07:52:11 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 8FA0C21F875A for <>; Mon, 7 Jan 2013 07:52:11 -0800 (PST)
Received: from ([]:52642 helo=comsec.home) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1TsEzh-000AwS-P9; Mon, 07 Jan 2013 10:52:09 -0500
Message-ID: <>
Date: Mon, 07 Jan 2013 10:52:08 -0500
From: Stephen Kent <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Andrey Jivsov <>, ipsec <>
References: <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [IPsec] I-D on Using the ECC Brainpool Curves for IKEv2 Key Exchange
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 07 Jan 2013 15:52:12 -0000

On 1/4/13 3:23 PM, Andrey Jivsov wrote:
> ...
> Point compression is more beneficial for storage security for reasons 
> of performance and storage efficiency. For storage efficiency side: 
> when there are multiple recipients per message, each associated with 
> one ECDH-related field, it's possible for ECDH-specific payload to get 
> arbitrary large for a fixed short message. For the performance 
> argument: if the message was encrypted to N recipients, to decode it 
> only one recipient will be used, and thus the calculation of 'y' is 
> done once but the space is saved for N.
Are you confident that this attempt at space efficiency is consistent 
with S/MIME processing rules?
Or are you suggesting that S/MIME and other secure email standards 
become alg-specific to take
advantage of this optimization?
> Even for certificates that have one public key there is some benefit, 
> given that the certificates are pre-precessed for chain validation and 
> are often cached.
Most IETF security protocols make use of X.509 (PKIX) certs. X.509 certs 
always contain just one key.
So I'm puzzled by the phrase "Even for certificates that have one public 
key ..."