[rtcweb] Unlinkability and RSA

Watson Ladd <watsonbladd@gmail.com> Sat, 15 March 2014 00:07 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id ED3E41A0116 for <rtcweb@ietfa.amsl.com>; Fri, 14 Mar 2014 17:07:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ds0hLs8bOR23 for <rtcweb@ietfa.amsl.com>; Fri, 14 Mar 2014 17:07:12 -0700 (PDT)
Received: from mail-yk0-x230.google.com (mail-yk0-x230.google.com [IPv6:2607:f8b0:4002:c07::230]) by ietfa.amsl.com (Postfix) with ESMTP id 4231C1A00C9 for <rtcweb@ietf.org>; Fri, 14 Mar 2014 17:07:12 -0700 (PDT)
Received: by mail-yk0-f176.google.com with SMTP id 19so8630686ykq.7 for <rtcweb@ietf.org>; Fri, 14 Mar 2014 17:07:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=WwfHrXU1NJiIsmLML8Lm8LWIAg4q8hH/zhp9Br4nsD8=; b=Qk+86VolD/3RP6vKdlnVN1PJ7iLpjWhL+1NKf/3LXB58n5d3qybNpOjzm67Tv8tJgY 9CBDiqmb6uP5UIGIpX/cae37FH4m0E5Gk2yktjeiWiZ0du9LkhcmFBF/Kaq8Lgk9qGNZ kqLVrqoBnvkQAueSh+k4+8xP13t/Cuk6sGs0ai9wYUQprqj9pyhM7pUiGtaEigZgVoJ1 OBQeOK6o6oqDZZZpRdka1bMv3jLuIaDTpb2v6J0EOJnu1Q93ZpPipVO4DdiitNh7rAV+ De8EmbiigYCbWjRHLyYNeMH67VgZu2EuFe3bpIJohoaCZzYmwe5YtfZwQJOjC45Npr17 Ao0g==
MIME-Version: 1.0
X-Received: by with SMTP id s63mr15212226yhh.19.1394842025193; Fri, 14 Mar 2014 17:07:05 -0700 (PDT)
Received: by with HTTP; Fri, 14 Mar 2014 17:07:05 -0700 (PDT)
Date: Fri, 14 Mar 2014 17:07:05 -0700
Message-ID: <CACsn0cmfjiUyL-_f6Bfd3bKKmoJwwqnPkabMDMLPQo=TnEH=Yw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "rtcweb@ietf.org" <rtcweb@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/1be0b9qwTTaC2-x905lL6bd5jgQ
Subject: [rtcweb] Unlinkability and RSA
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 00:07:14 -0000

Dear all,

draft-ietf-rtcweb-security-arch-09 asks "[[OPEN ISSUE: Are these the
right cipher suites?]]" and then describes two RSA suites. They are
secure, but slow, and certificates need to be regenerated frequently
to preserve unlinkability. ECDSA is much more performant, and this
would ameliorate issues relating to certificate regeneration
performance on low-power devices, as well as enable lower-power CPUs
on video devices that intend to interoperate, via custom signalling,
with webRTC.

Secondly, ditch DHE. If you have ECDSA, you have everything for ECDHE,
and it avoids slow, frequently skipped, and necessary checks in the
protocol. I can think of no reason to use it.

Thanks to Justin Uberti for pointing out this issue and the
unlinkability consequences on constrained devices.
Watson Ladd