Re: [Lwip] Secdir early review of draft-ietf-lwig-curve-representations-08

Rene Struik <> Tue, 10 March 2020 15:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 08B3E3A10E8; Tue, 10 Mar 2020 08:19:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yalFTD10zq4V; Tue, 10 Mar 2020 08:19:37 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::f30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CA4CE3A1256; Tue, 10 Mar 2020 08:19:33 -0700 (PDT)
Received: by with SMTP id ca9so3136990qvb.9; Tue, 10 Mar 2020 08:19:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:from:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=eNKBxZFJfvs6V/mCK17fmkZ/XgO1fFYYbFQWGk7rngI=; b=qufVNV9BsO+Fh5kaSdZDWFwCz/5efsQVHne5vcyKC/ZD38uQVsJ14b2jb1yvSUoMGw fd9O63MmDpOWjVqQBd8TWx3Yc8kPdQ3oQ124sI/4LQJv4q4j4coRVLXsQfNM0h7/xj2j H0OJD1hk56NFWnOuE55YiepIZ+cOz3U9k0jISNqeAgDLB2hgeObYw0ur9zuppLyJQhKa FmDZH9vIik3Ajv4LqnO+rps+x+jF6w0YkOQysthBzEPCR8GCCn//8pbKtyius85PJX8E Eirzlo/7x+xqnD2YEmsdu2jW//x3sg1mbcT6I8CYzwgyzQs/q6qHTT6m0HFZ0eDR/Jaz J3xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=eNKBxZFJfvs6V/mCK17fmkZ/XgO1fFYYbFQWGk7rngI=; b=ORF+TprxT40To7S85+3K9beDOdjGd5a86Gygr1e3qsBBZnC9w5ZKz6phJxyA3GYqaz hhmoiqGo4qiFJ3zLgRhbdNHEtvvh9KQWu7mUTbCAkcqzAFqV7WLTR/FB/f5cavzTba/R imQUsB9lulc22BdYml2Kxza0IWreRNCPMzi0CvYJOtTgcIDQ4CdqepW92tcY+87j3g67 DIMW6X/FcNSsWCKyBLVLI/xFGHN/k5xAEJ0Ec9i58qaBwN0/GXiuVYIWqpu6YIZoH605 oYxzTBECrXEX4B+JFPcDV1B0P8BGAtoBwQUrC88IJVUPdHys+IEQpyLBW99ws2d4ocdG pMeA==
X-Gm-Message-State: ANhLgQ3gcyAsYuygBlMGFQRTFj7Nzxt6ncOxw4PXOAJzZyFqctEeQgHo 9bhnXFWZXnFDk8UPTKLZ/xFGacTP
X-Google-Smtp-Source: ADFU+vttQaSQvemyYnds5sbFjSOZx6UAmqb8oHQq8CBVws4CiawlkrdCoQDlxkJQzJr0IZSwMRvqUw==
X-Received: by 2002:a0c:f892:: with SMTP id u18mr19715400qvn.159.1583853572396; Tue, 10 Mar 2020 08:19:32 -0700 (PDT)
Received: from ?IPv6:2607:fea8:6a0:1a5a:51ec:9c3f:c37:3026? ([2607:fea8:6a0:1a5a:51ec:9c3f:c37:3026]) by with ESMTPSA id o57sm4427150qtf.42.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 10 Mar 2020 08:19:31 -0700 (PDT)
From: Rene Struik <>
To: Russ Housley <>
Cc: IETF SecDir <>,,
References: <> <> <> <>
Message-ID: <>
Date: Tue, 10 Mar 2020 11:19:29 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [Lwip] Secdir early review of draft-ietf-lwig-curve-representations-08
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Mar 2020 15:19:39 -0000

Hi Russ:

I tried to take into account your comments with 

I will send out a separate email to the list highlighting main changes.

Below, I will explain how I tried and accommodate your previous comments 
on the 08-draft, now that the new draft is out.

Important note:
As you know from offline communications, I did include Curve448-related 
material with the 09 version. I tried to do this in a way that would 
create the least editorial upheaval and would not take away from the 
main objectives of the document: to this end, I only introduced 
Curve448-related material in Section 4.4 [thereby avoiding having to 
sprinkle in curve448-related language in each section and blurring the 
message of the document]. The only other sections where Curve448 plays a 
role is IANA Section 10 and the appendices that give the parameters and 
test vectors for the Curve448 family members. {Note: I probably should 
have added a note on ECDSA448 in the security consideration section, 
though (I made a note on this and will fix).}

Best regards, Rene

On 11/26/2019 5:21 PM, Rene Struik wrote:
> Hi Russ:
> Thanks.
> On 11/26/2019 4:10 PM, Russ Housley wrote:
>>> On Nov 26, 2019, at 2:54 PM, Rene Struik <> wrote:
>>> Dear Russ:
>>> Thanks for your review (and speedy turn-around).
>>> Please find below feedback on how I intend to address all but your 
>>> last remarks (I will reflect on your suggestion as to introductory 
>>> text with the appendices when looking over Daniel Migault's earlier 
>>> "guidance of the reader" remarks).
>>> Best regards, Rene
>>> On 11/26/2019 12:58 PM, Russ Housley via Datatracker wrote:
>>>> Reviewer: Russ Housley
>>>> Review result: Has Issues
>>>> I reviewed this document as part of the Security Directorate's ongoing
>>>> effort to review all IETF documents being processed by the IESG.  
>>>> These
>>>> comments were written primarily for the benefit of the Security Area
>>>> Directors.  Document authors, document editors, and WG chairs should
>>>> treat these comments just like any other IETF Last Call comments.
>>>> Document: draft-ietf-lwig-curve-representations-08
>>>> Reviewer: Russ Housley
>>>> Review Date: 2019-11-26
>>>> IETF LC End Date: unknown
>>>> IESG Telechat date: unknown
>>>> Summary: Has Issues
>>>> Major Concerns:
>>>> I am confused by the first paragraph in Section 10.  It says that "An
>>>> object identifier is requested ...", but then code points for COSE
>>>> and JOSE (not object identifiers) are requested in the subsection.
>>>> I am confused by the second paragraph in Section 10.  It says that
>>>> "There is *currently* no further IANA action required ...". Please
>>>> delete this paragraph.
>>> RS>> If I remember this correctly, I borrowed this from another 
>>> draft (but perhaps was somewhat ignorant here about proper 
>>> formulation). I intend to change the first para to "code points are 
>>> requested for ....". As to the second para, I believe it has some 
>>> merit to keep this in, in slightly altered form, e.g.,  as "New 
>>> object identifiers would be required in case one wishes to specify 
>>> one or more of the "offspring" protocols exemplified in Section 4.4. 
>>> Specification hereof is, however, outside scope of the current 
>>> document."
>>> <<RS
>> I do not see how the second paragraph gives any direction regarding 
>> the IANA registries.
> RS>>  The requested algorithm registrations are for co-factor ECDH 
> (Example 4.1) and ECDSA (Example 4.3), where the second para is more a 
> reminder that one would need more registrations if one would like 
> other spin-offs (so it was more to keep parallelism with Example 4.4). 
> As example, one could instantiate e.g., Wei25519 plus, say, MQV (which 
> NIST SP 800-56a + new curve W25519 in draft SP 186 would enable) and, 
> e.g., Wei25519+MQV, Wei25519 + impl cert (for V2V; see IACR 2019-157), 
> etc., but I did not wish to go over the top and that could be to be 
> defined elsewhere. From a Spartan writing perspective, it could indeed 
> be argued that one could guess this oneself. <<RS

RS1>> Since I added Curve448-related material, I divided the IANA 
section into two subsections, where the first one requests for code 
points for Wei25519 and the second one requests for code points for 
Wei448. The reason for this organization is that it shows clearly the 
edits w.r.t. the 08 version. Due to the additional request for code 
points for Wei448, I changed the language in the preamble of the IANA 
section as follows:

Code points are requested for curve Wei25519 and Wei448 and its use with 
ECDSA and co-factor ECDH, using the representation conventions of this 
New code points would be required in case one wishes to specify one or 
more other "offspring" protocols beyond those exemplified in Section 
4.4. Specification hereof is, however, outside scope of the current 


>>>> Minor Concerns:
>>>> Requirements Language section is out of date.  It should reference
>>>> RFC 8174 in addition to RFC 2119, as follows:
>>>>     The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL 
>>>> NOT",
>>>> "MAY", and
>>>>     "OPTIONAL" in this document are to be interpreted as described in
>>>>     BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
>>>>     capitals, as shown here.
>>> RS>> will do. As minor point (from a non-native speaker's 
>>> perspective): shouldn't the last part of the above sentence read 
>>> "if, and only if, these appear...."? <<RS
>> RFC 8174 calls for this exact text.
> RS>> My remark above was more a "Strunk and White" remark. <<RS
RS1>> Changed, as requested. <<RS1
>>>> Section 2 says: "... reuse of existing generic code ...";  I do not 
>>>> know
>>>> what is meant by "generic".  It either needs to be defined, 
>>>> reworded, or
>>>> dropped.  I note that elsewhere in the document "existing code" is 
>>>> used.
>>> RS>> I will add a sentence to that effect, e.g., "(Here, generic 
>>> code refers to an implementation that does not depend on hardcoded 
>>> domain parameters (see also Section 6).)" <<RS
>> Thanks.
>>>> I expected Section 9 to say something about public keys being unique
>>>> identifiers of the private key holder.
>>> RS>> I will add an extra paragraph to this effect, e.g., "Use of a 
>>> public key in any protocol for which successful execution evidences 
>>> knowledge of the corresponding private key implicitly indicates the 
>>> entity holding this private key. Reuse of this public key with more 
>>> than one protocol or more than one protocol instantiation may, 
>>> therefore, allow traceability of this entity." <<RS
>> Also, using the same public key with different addresses allows an 
>> observer to correlate them.
> RS>> Indeed, one can correlate more stuff from meta-info that includes 
> the public key as a common data element (even if the observer would 
> not be able to check whether those are technically bound to this, this 
> would often work in practice). <<RS

RS1>>The added text now reads as follows:

Use of a public key in any protocol for which successful execution 
evidences knowledge of the corresponding private key implicitly 
indicates the entity holding this private key. Reuse of this public key 
with more than one protocol or more than one protocol instantiation may, 
therefore, allow traceability of this entity. It may also allow 
correlation of meta-data communicated with this common data element 
(e.g., different addressing information), even if an observer cannot 
technically verify the binding of this meta-data.


>>>> Some introduction text at the beginning of each Appendix would be very
>>>> helpful.  Please tell the reader what they will learn by delving into
>>>> the subsections of the appendix.
>>> RS>> I will reflect on this somewhat more (while also considering 
>>> "guidance to the reader" remarks in Daniel Migault's Early IoTDir 
>>> review).  Broadly speaking, though, inclusion of all these 
>>> appendices makes the entire docment self-contained, including 
>>> arithmetic, representations, how-to-convert details, etc. <<RS
>> Yes, I understand that.  Some of the appendicies have introductory 
>> text, but other do not.  I think they all should have introductory text.

RS1>> I added some introductory text to each appendix.


>>>> Nits:
>>>> Section 4.2 says: "... at the end of hereof ...".  This does not tell
>>>> me anything useful.  I suggest deleting this phrase.
>>> RS>> I will change this to "at the end hereof" (i.e., will remove 
>>> "of" - a glitch). Here, one can only recover the y-coordinate at the 
>>> end of the Montgomery ladder, since one needs the x-coordinates of 
>>> k*G and (k+1)*G to make this work. <<RS
>> I think it would be better to say: ... at the end of the Montgomery 
>> ladder ..."
RS1>> Changed as suggested. <<RS1
>> Russ

email: | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867