IETF Logo Mail Archive

Re: [jose] [COSE] COSE/JOSE elliptic curves and their relationship with key types

Benjamin Kaduk <kaduk@mit.edu> Tue, 13 July 2021 03:46 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92F283A1140; Mon, 12 Jul 2021 20:46:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MaT2umvLfxpP; Mon, 12 Jul 2021 20:46:09 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18D813A113F; Mon, 12 Jul 2021 20:46:08 -0700 (PDT)
Received: from mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 16D3k1Ka008777 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Jul 2021 23:46:06 -0400
Date: Mon, 12 Jul 2021 20:46:00 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: cose@ietf.org, jose@ietf.org
Message-ID: <20210713034600.GJ17170@mit.edu>
References: <20210707212059.GX17170@mit.edu> <21116.1625697755@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <21116.1625697755@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/yC-Ff4NqMPVV3hRnAY-zm6e7kKM>
Subject: Re: [jose] [COSE] COSE/JOSE elliptic curves and their relationship with key types
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 03:46:14 -0000

Hi Michael,

Thanks for sharing your thoughts.

On Wed, Jul 07, 2021 at 06:42:35PM -0400, Michael Richardson wrote:
> 
> Benjamin Kaduk <kaduk@mit.edu> wrote:
>     > As written, that seems to allow a notion of "consistent" that is not
>     > strictly 1:1, but all of the curves defined so far only have that 1:1
>     > mapping, and trying to use any other "kty" for an existing curve would run
>     > into interop problems with existing implementations that reject other "kty"
>     > values for that curve.
> 
> It seems to me that we think it's always gonna be 1:1, but that we admit that
> we can't predict the future, and so we are providing some extra rope.

There is of course a reason that I am asking the question.  I had hoped
to separate the initial batch of responses to the general question from the
specific case, so I didn't mention it in the initial note, but
draft-ietf-lwig-curve-representations registers the Wei25519 and Wei448
elliptic curves (the short-Weierstrass analogues of Curve25519 and
Curve448), and currently lists the key type for both as "EC2 or OKP".

To my knowledge, these curve (representation)s are not in wide use and
there is thus not a well-established single point representation to use
with them.  However, since the intent of the work is to expose the CFRG
curves' benefits to implementations tailored to short-Weierstrass curves,
which in turn would be likely to use the "EC2" representation in its
interfaces, it seems like if we were to pick a preferred representation it
would be "EC2".

> It also seems that we might also be thinking that there might be other ways
> to encode the keys (into bytes), but that mostly it is the case that we have
> a single encoding that we stick to.

But for a protocol don't we kind of only want a single encoding anyway?

> (Why did we call it "EC2". Huh)

I feel like I used to know this, but am drawing a blank.  Maybe that there
are two coordinates included?

Thanks again,

Ben

>     > Do we expect a strict relationship where each curve has exactly one "kty"
>     > that it's used with?  If not, in what scenario(s) would there be multiple
>     > "kty" values to use with a single curve?
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email