Re: [IPsec] Working group last call for the draft-nir-ipsecme-eddsa-00
Daniel Migault <daniel.migault@ericsson.com> Wed, 08 March 2017 18:49 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD3891294EA for <ipsec@ietfa.amsl.com>; Wed, 8 Mar 2017 10:49:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.369
X-Spam-Level:
X-Spam-Status: No, score=-2.369 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.229, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4NSkWIkheofr for <ipsec@ietfa.amsl.com>; Wed, 8 Mar 2017 10:49:09 -0800 (PST)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 325E312944E for <ipsec@ietf.org>; Wed, 8 Mar 2017 10:49:09 -0800 (PST)
Received: by mail-it0-x231.google.com with SMTP id m27so46589381iti.1 for <ipsec@ietf.org>; Wed, 08 Mar 2017 10:49:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=3mrHhuURXCuESlA00yBwLlnvN75R8VDOXnVqsrWxx9Y=; b=EYTHYi+C8mrS25eu5owOEztthjxaoOASwVSKL8wxSprlBtONoMD5EzP6QPy/njxmmu btB+JKEXtuPhuBu7kt+46cAq7VkjAm2AbmkFdFvMHNNGBz9uZk3N0BC4alFPIJHotXjn Xj8vuxpImqCxLwSZFKbSj+9IK5lOhRrzZOkGYyi5F7h606jssuF+yyK1ILQp9s4WWLvb cuu/7BTAEYQusjhcs3XxdNgV7iNa/58IZn1kAxxXVUjN2gYdVcsspJ7q5CxkB99i1RyS p0FdMJ12V3PgpPLkt1N8XZs/pxUB7MMaYl9cVeV7GqdANLxFVgxEsJCb1eX3tIybDFcq /z4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=3mrHhuURXCuESlA00yBwLlnvN75R8VDOXnVqsrWxx9Y=; b=RGYfi+pOvvJae6AIKwo9BxwRMEVsIHoS/Z/wJwlysVGT2fkFmZjtawKLvRyNR4ZF/3 PQdGJvhSHTJm9DDuPu1iwBYr9TmEYgJKFIRaIAcrr03DuBsVpTGO0NxvBsNVwTCpLkAl un06RDU3YkDOnyw+zRJjvV4ih+JiF0505DAS6uTCzQYTmfa8BX3xjJ0TZ9r+23mNEJYD 6BOkcIb91sKxTAbxszexA8rWS+WrqOdExtgeJaGczgxMESc13NC8aeqnpscT2IlWcm5o 2kRQlmFFyiU1axC9lCifrIajB5winXJ7N3pzlzm2cWYNKHM4s90SbysmzvpwGzwWYdE0 aEUg==
X-Gm-Message-State: AMke39nbOoEpiUjlvGykEqCSBGKFlCuiP61m8cmlxhgveM31j1iEoihVor0BGBCp0kiO1in2GOOirx6L1+fNNg==
X-Received: by 10.107.168.21 with SMTP id r21mr7095903ioe.45.1488998948482; Wed, 08 Mar 2017 10:49:08 -0800 (PST)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.107.35.213 with HTTP; Wed, 8 Mar 2017 10:49:07 -0800 (PST)
In-Reply-To: <22692.28549.958589.705943@fireball.acr.fi>
References: <22683.8182.349840.103676@fireball.acr.fi> <D28C9CC6-FD00-4A42-8451-F9B0AA83E4BF@apple.com> <22684.25414.470545.969594@fireball.acr.fi> <32d17f6f-3b55-a275-9fe5-960833899780@strongswan.org> <22692.28549.958589.705943@fireball.acr.fi>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Wed, 08 Mar 2017 13:49:07 -0500
X-Google-Sender-Auth: 1sZ4-UWPb0U7iuQ-kyb15qVwUF4
Message-ID: <CADZyTk=vG-grQvRWnnUVOdO2p5KGMpKONGkgax2pNjFey2TxAw@mail.gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary="001a114215e865422c054a3c95e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/qkOdcJ_vnh1Om0xFvN30kW-6SLk>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, David Schinazi <dschinazi@apple.com>
Subject: Re: [IPsec] Working group last call for the draft-nir-ipsecme-eddsa-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 18:49:11 -0000
Hi,
Please find my comments regarding the draft. I believe the draft is ready
to be moved forward. I do not have strong opinion on the value to assign.
Yours,
Daniel
The Internet Key Exchange protocol [RFC7296] can use arbitrary
signature algorithms as described in [RFC7427]. The latter RFC
defines the SIGNATURE_HASH_ALGORITHMS notification where each side of
the IKE negotiation lists its supported hash algorithms. This
assumes that all signature schemes involve a hashing phase followed
by a signature phase. This made sense because most signature
algorithms either cannot sign messages bigger than their key or
truncate messages bigger than their key.
EdDSA ([I.D-eddsa]) defines signature methods that do not require
pre-hashing of the message. Unlike other methods, these accept
arbitrary-sized messages, so no pre-hashing is required. These
methods are called Ed25519 and Ed448, which respectively use the
Edwards 25519 and the Edwards 448 ("Goldilocks") curves. Although
that document also defines pre-hashed versions of these algorithm,
those versions are not recommended for protocols where the entire to-
be-signed message is available at once.
MGLT: I think that a pointer for the recommendation should be provided -
section 10.5 of I.D-eddsa.
The first sentence of the paragraph above confuses me. Although this si
true, I prefer to say that EdDSA ([I.D-eddsa]) defines signatures methods
that includes pre-hasing as well as signature methods that do not require
prehashing. Following the recommendation of Section 10.5 I.D-eddsa, the
pre-hash variant SHOULD NOT be used.
Given the title, it would be more appropriated to have the first paragraph
here.
EdDSA defines the binary format of the signatures that should be used
in the "Signature Value" field of the Authentication Data Format in
section 3. The CURDLE PKIX document ([I.D-curdle-pkix]) defines the
object identifiers (OIDs) for these signature methods. For
convenience, these OIDs are repeated in Appendix A.
MGLT: Note that the pkix document is still on discussion. -- Although IOD
seems out of the scope of the discussion.
In order to signal within IKE that no hashing needs to be done, we
define a new value has in the SIGNATURE_HASH_ALGORITHMS notification,
one that indicates that no hashing is performed.
On Wed, Feb 15, 2017 at 10:11 AM, Tero Kivinen <kivinen@iki.fi> wrote:
> Andreas Steffen writes:
> > I personally think that 0 would have been legitimate for the "Identity"
> > hash but the next unassigned value (5) is also ok for me.
> >
> > Could you please ask IANA for an early assignment of the code point?
> > strongSwan 5.5.2 with Ed25519 support is ready to be deployed,
> > thus we would be able to release the stable version as soon as
> > the code point has been assigned.
>
> Before we can make code point allocation, we need to agree on whether
> it is going to be zero or next number. As you can see from the emails
> in this list there is not agreement on this yet, so even if authors
> make IANA request to ask for assignment, when it comes to me (as for
> expert review) few days later, I would wait for the comments on the
> list to agree on which number we are going to allocate.
>
> Now it seems more people are supporting allocating something else than
> zero...
>
> As for the process:
>
> > > As this is expert review registry there is no need to ask for early
> > > allocation, the normal process is just to fill in the IANA general
> > > request for assignments, which then goes to the IANA and they will
> > > then send it to the expert (me) for verification.
>
> And then we will then come back to this list to finish this
> discussion...
> --
> kivinen@iki.fi
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
- [IPsec] Working group last call for the draft-nir… Tero Kivinen
- Re: [IPsec] Working group last call for the draft… David Schinazi
- Re: [IPsec] Working group last call for the draft… Tero Kivinen
- Re: [IPsec] Working group last call for the draft… Tommy Pauly
- Re: [IPsec] Working group last call for the draft… Paul Wouters
- Re: [IPsec] Working group last call for the draft… David Schinazi
- Re: [IPsec] Working group last call for the draft… Andreas Steffen
- Re: [IPsec] Working group last call for the draft… Tero Kivinen
- Re: [IPsec] Working group last call for the draft… Daniel Migault
- Re: [IPsec] Working group last call for the draft… Yoav Nir
- Re: [IPsec] Working group last call for the draft… David Schinazi
- Re: [IPsec] Working group last call for the draft… Yoav Nir
- Re: [IPsec] Working group last call for the draft… Daniel Migault