Re: [Lwip] Secdir early review of draft-ietf-lwig-curve-representations-08

Rene Struik <> Tue, 26 November 2019 22:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 589C8120AF9; Tue, 26 Nov 2019 14:21:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4qkJeFpKbrBd; Tue, 26 Nov 2019 14:21:21 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3233712091B; Tue, 26 Nov 2019 14:21:21 -0800 (PST)
Received: by with SMTP id e187so17703614qkf.4; Tue, 26 Nov 2019 14:21:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=nAofHPuRBdWUfRpgBi9jJVeIZQ6wraOTvpQ1NnZbGwI=; b=uPBU65JKgTJIEbNgXqdZcbSju1f+F05tRMHCwmHLYWTHmjOk6rA6HKWMUWOLFrz57E jKR1XNpYajYToDO0ZiSG6wL4EmmTdopES3SJQVq2hROLGNqIIdxLsYZp8/CjuLkUg9o6 TGNyqrCgf66ATE5UXRbSI6qevLn9fY+q6Yh3fk+jCuRuFzViKDWqlyO3tKOjaWq3XCrC dqscEh07FVzxVveQxqfGo95/2P18mTm6y6e3CXTl4+9ZBd1u+kGp6OmkbYdR2F4rBHUW KPHo1uju1EedqKFeGw/VGhBdmu0cYJgaBCYTEQYsImF5h8UKnaLlrJwdEKGYDWMFeBuH /ORw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=nAofHPuRBdWUfRpgBi9jJVeIZQ6wraOTvpQ1NnZbGwI=; b=Wm9RHzAMxw0bSmMVEmB8t4SWJi36t6ZFY3gDJ0UyC0f5XamhuCsBLCe3oeod46YoJ3 gowCbOTb3IueaSiuVIYwbjf/+L0geE1iE/p95ENkH8Zsc0VyA4vXfzet8CdKXkm7D16l ArP4EOmOF3PCspDBcBFidcYzX3LLA6vtvg6djCdR/ozu5AsNQYkNaMEHhDYOND3S1HdB TCH9RrXJXGBKj7M5V0BgORw20l5X4haCkS/3k/i+d1PXc2oxC7FfaHjmN4CKd16T03TM X5OVH+u/wZkhs0KmDnuH/xohENta6aL4nEi1FwaQfjBnrrGOiJKwFxyB6CRRS6h49B6B 30eQ==
X-Gm-Message-State: APjAAAVuSU7H5rymKHC573UxUkz67riORLpdSHzvUe3QWopdSR6HASPY 2ePLNqHBmaAqTarQDbtlxvKdED0u
X-Google-Smtp-Source: APXvYqyzvk9isHlsU5aq3Gu06dnjUaTgPBqTUvUxL+qFxX5eOCl6c/h+CKikJOOwNcNBM1z22Kcp4w==
X-Received: by 2002:ae9:f00b:: with SMTP id l11mr833518qkg.141.1574806879876; Tue, 26 Nov 2019 14:21:19 -0800 (PST)
Received: from ?IPv6:2607:fea8:69f:fa3a:fc5f:12b:d173:619a? ([2607:fea8:69f:fa3a:fc5f:12b:d173:619a]) by with ESMTPSA id b13sm6365780qtj.64.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Nov 2019 14:21:19 -0800 (PST)
To: Russ Housley <>
Cc: IETF SecDir <>,,
References: <> <> <>
From: Rene Struik <>
Message-ID: <>
Date: Tue, 26 Nov 2019 17:21:16 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [Lwip] Secdir early review of draft-ietf-lwig-curve-representations-08
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Nov 2019 22:21:23 -0000

Hi Russ:


On 11/26/2019 4:10 PM, Russ Housley wrote:
>> On Nov 26, 2019, at 2:54 PM, Rene Struik <> wrote:
>> Dear Russ:
>> Thanks for your review (and speedy turn-around).
>> Please find below feedback on how I intend to address all but your last remarks (I will reflect on your suggestion as to introductory text with the appendices when looking over Daniel Migault's earlier "guidance of the reader" remarks).
>> Best regards, Rene
>> On 11/26/2019 12:58 PM, Russ Housley via Datatracker wrote:
>>> Reviewer: Russ Housley
>>> Review result: Has Issues
>>> I reviewed this document as part of the Security Directorate's ongoing
>>> effort to review all IETF documents being processed by the IESG.  These
>>> comments were written primarily for the benefit of the Security Area
>>> Directors.  Document authors, document editors, and WG chairs should
>>> treat these comments just like any other IETF Last Call comments.
>>> Document: draft-ietf-lwig-curve-representations-08
>>> Reviewer: Russ Housley
>>> Review Date: 2019-11-26
>>> IETF LC End Date: unknown
>>> IESG Telechat date: unknown
>>> Summary: Has Issues
>>> Major Concerns:
>>> I am confused by the first paragraph in Section 10.  It says that "An
>>> object identifier is requested ...", but then code points for COSE
>>> and JOSE (not object identifiers) are requested in the subsection.
>>> I am confused by the second paragraph in Section 10.  It says that
>>> "There is *currently* no further IANA action required ...".  Please
>>> delete this paragraph.
>> RS>> If I remember this correctly, I borrowed this from another draft (but perhaps was somewhat ignorant here about proper formulation). I intend to change the first para to "code points are requested for ....". As to the second para, I believe it has some merit to keep this in, in slightly altered form, e.g.,  as "New object identifiers would be required in case one wishes to specify one or more of the "offspring" protocols exemplified in Section 4.4. Specification hereof is, however, outside scope of the current document."
>> <<RS
> I do not see how the second paragraph gives any direction regarding the IANA registries.

RS>>  The requested algorithm registrations are for co-factor ECDH 
(Example 4.1) and ECDSA (Example 4.3), where the second para is more a 
reminder that one would need more registrations if one would like other 
spin-offs (so it was more to keep parallelism with Example 4.4). As 
example, one could instantiate e.g., Wei25519 plus, say, MQV (which NIST 
SP 800-56a + new curve W25519 in draft SP 186 would enable) and, e.g., 
Wei25519+MQV, Wei25519 + impl cert (for V2V; see IACR 2019-157), etc., 
but I did not wish to go over the top and that could be to be defined 
elsewhere. From a Spartan writing perspective, it could indeed be argued 
that one could guess this oneself. <<RS

>>> Minor Concerns:
>>> Requirements Language section is out of date.  It should reference
>>> RFC 8174 in addition to RFC 2119, as follows:
>>>     The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
>>>     "OPTIONAL" in this document are to be interpreted as described in
>>>     BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
>>>     capitals, as shown here.
>> RS>> will do. As minor point (from a non-native speaker's perspective): shouldn't the last part of the above sentence read "if, and only if, these appear...."? <<RS
> RFC 8174 calls for this exact text.
RS>> My remark above was more a "Strunk and White" remark. <<RS
>>> Section 2 says: "... reuse of existing generic code ...";  I do not know
>>> what is meant by "generic".  It either needs to be defined, reworded, or
>>> dropped.  I note that elsewhere in the document "existing code" is used.
>> RS>> I will add a sentence to that effect, e.g., "(Here, generic code refers to an implementation that does not depend on hardcoded domain parameters (see also Section 6).)" <<RS
> Thanks.
>>> I expected Section 9 to say something about public keys being unique
>>> identifiers of the private key holder.
>> RS>> I will add an extra paragraph to this effect, e.g., "Use of a public key in any protocol for which successful execution evidences knowledge of the corresponding private key implicitly indicates the entity holding this private key.  Reuse of this public key with more than one protocol or more than one protocol instantiation may, therefore, allow traceability of this entity." <<RS
> Also, using the same public key with different addresses allows an observer to correlate them.
RS>> Indeed, one can correlate more stuff from meta-info that includes 
the public key as a common data element (even if the observer would not 
be able to check whether those are technically bound to this, this would 
often work in practice). <<RS
>>> Some introduction text at the beginning of each Appendix would be very
>>> helpful.  Please tell the reader what they will learn by delving into
>>> the subsections of the appendix.
>> RS>> I will reflect on this somewhat more (while also considering "guidance to the reader" remarks in Daniel Migault's Early IoTDir review).  Broadly speaking, though, inclusion of all these appendices makes the entire docment self-contained, including arithmetic, representations, how-to-convert details, etc. <<RS
> Yes, I understand that.  Some of the appendicies have introductory text, but other do not.  I think they all should have introductory text.
>>> Nits:
>>> Section 4.2 says: "... at the end of hereof ...".  This does not tell
>>> me anything useful.  I suggest deleting this phrase.
>> RS>> I will change this to "at the end hereof" (i.e., will remove "of" - a glitch). Here, one can only recover the y-coordinate at the end of the Montgomery ladder, since one needs the x-coordinates of k*G and (k+1)*G to make this work. <<RS
> I think it would be better to say: ... at the end of the Montgomery ladder ..."
> Russ

email: | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363