Re: [pkix] Updated elliptic curve drafts

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 27 November 2015 22:19 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78AD51B2C9C for <pkix@ietfa.amsl.com>; Fri, 27 Nov 2015 14:19:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ueoYoybX7gQp for <pkix@ietfa.amsl.com>; Fri, 27 Nov 2015 14:19:30 -0800 (PST)
Received: from mail-lf0-x236.google.com (mail-lf0-x236.google.com [IPv6:2a00:1450:4010:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0343D1B2C9B for <pkix@ietf.org>; Fri, 27 Nov 2015 14:19:29 -0800 (PST)
Received: by lfaz4 with SMTP id z4so141656027lfa.0 for <pkix@ietf.org>; Fri, 27 Nov 2015 14:19:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=oTWLXwyGDSXoF5rG5D2p4cSmJjaF7vPrjY6c1eKS3y4=; b=ZyA7/zNY1jLuwJzKUSe7k1mtVjpIxSl5u+DSy67juKakKLir9qwRR5yIpQTWtmDR7Q L9LPPtfcaw7oQgwLw1u9evqdldBLkhlN13x1lcjNtPVRo9GSMLyAOG3V50O3sqXHP/AG m/dTqAX2g217Kp7+dxhV20NZsz+iNIhU4r+woi4t5K7L1A5dNkQFzM16hQi4PZVnGFLI aYEQwrCowl35mgPucqfL77EvLwcZycvIVNGmGbbKz2QKd5MHlVm7mNCAMBOG8I2rfsaQ WZz9BndCY8ik14gc0hLgA5AkclDxM3mmPkrMHnPVr6b3LekTenlGhgN9q9YFrV2oXaxC wsMw==
MIME-Version: 1.0
X-Received: by 10.25.206.203 with SMTP id e194mr16756976lfg.166.1448662768036; Fri, 27 Nov 2015 14:19:28 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Fri, 27 Nov 2015 14:19:27 -0800 (PST)
In-Reply-To: <20151016100547.0e375a55@latte.josefsson.org>
References: <87fv1fal6s.fsf@latte.josefsson.org> <CAMm+LwhDmnKFGWrcXP2N5W15uiazj+SiYNQvqviXz+6Fp442xQ@mail.gmail.com> <20151016100547.0e375a55@latte.josefsson.org>
Date: Fri, 27 Nov 2015 17:19:27 -0500
X-Google-Sender-Auth: wHJ_sfW7MHgEAz7DCOHDbTa0Lo8
Message-ID: <CAMm+LwhfNBfH6Oj8eq-Zn80MoCOYWQU8qJuWGk-NOOM_QMbheQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: multipart/alternative; boundary=001a1141257eb030c705258d15a1
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/tmNbzsTINWj5lFg7-K_V8F3rGbI>
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Updated elliptic curve drafts
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Nov 2015 22:19:31 -0000

On Fri, Oct 16, 2015 at 4:05 AM, Simon Josefsson <simon@josefsson.org>
wrote:

> > I strongly oppose any new crypto that does not include a fix for the
> > ephemeral keygen.
>
> How is that concern relevant for a new PKIX signature/publickey
> algorithm?  I would assume this is relevant for TLS, OpenPGP, CMS, or
> other higher level protocols, but I don't follow how anything could be
> done at the PKIX level to help here.  Can you elaborate please?



It is quite straightforward. Any time you introduce a backwards
incompatible change, you should look to fix any outstanding errors in the
protocol.

The design of the existing ephemeral key scheme is broken. Introducing an
ephemeral secret should not reduce security, the security of the key should
never fall below the security of the static secret even if the ephemeral is
broken.

Given the number of modes that TLS/1.3 has and given the probability that
it is going to change, what I am looking for is confirmation that the
principle is accepted and understood.