[saag] Re: The curve mess, and lessons for more crypto

Loganaden Velvindron <loganaden@gmail.com> Sun, 08 September 2024 07:14 UTC

Return-Path: <loganaden@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B00BC14F5F5 for <saag@ietfa.amsl.com>; Sun, 8 Sep 2024 00:14:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pyro4QIXTcOp for <saag@ietfa.amsl.com>; Sun, 8 Sep 2024 00:14:28 -0700 (PDT)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84F1AC14F5E7 for <saag@ietf.org>; Sun, 8 Sep 2024 00:14:28 -0700 (PDT)
Received: by mail-ot1-x32a.google.com with SMTP id 46e09a7af769-710da8668b3so551631a34.1 for <saag@ietf.org>; Sun, 08 Sep 2024 00:14:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725779667; x=1726384467; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ha1x9GESaAoatAmIN63i9T/nsvlKdZNodNtxjjL9nWw=; b=PI/pghntvg66Y588/zySrWTQvJocCLgB3F+VzAyWdd3/GJU2Jy9VNeHA11KihbYnLe PhWWZ6fSVFLT3/8238lzt3nOjWjPnAxD6PruyR2dTGjhN7e9Sd4iTM5i/oaDIr/rEGGj Bd+fOKKudwh+zedloO70AHfz7HHV6Cbtt95ZRPvkZIQ2bMlU+471a6+JpHakId/joybm CsPdxfyPsg+tyd7amGSPt8pb0oPq2bjEA8L54SO7JHHGHKFxBfsfZnO/Qi6IFGPhIJmz 0siNk5o0GZEuwSVwP7z/nQbOTtYBFdZBTV7RHS0MEQX9EAlj29Upf1JVqT/W1GkxW7I1 plZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725779667; x=1726384467; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ha1x9GESaAoatAmIN63i9T/nsvlKdZNodNtxjjL9nWw=; b=vY0zLOyoREwaYKzhZPysSvXqshtrim0j/TbA4YupX3EkXW59FM+erqf9sgoktxr1Mh AlfkstyVeeT/o7sWBjgxON4TCYGtxvXOM7pxqMA9xno6rbIw75Y2wKRez4tb0aeOWjQN 6Y/c6ruvT4Jnl0PqJhpCsM6A1kwaQk0U/CGZfVA4XZTowR6U9PZgWrCFtgA3ip4ADGNC RI4j5nhyd1bh4XGe8690ApDBseXXFWKN9or0JXlnl8kTfFRKCjyqj6rRKQXJv9/34i5Z xagfvVSLkYp9CjXr5SXeektVKswNeRst5eJkRn4bGPCXI3Z7E2sug3aCKnwmqm+0+TNH IeZQ==
X-Gm-Message-State: AOJu0Yw5k4GCIH+V16ZUKd2cDCRrAaA1NWToC8KgUGM1ZaSgoVRBhpZ4 OBdmUBCSxpy1sPHRLlyNY7hbiVz/Z88GNZtKYTaN2mEbvuEBy+ECvhhZ8qL++N41fUenskYX4Lg h1dRLL0t0vUiuTyVitEBwqH62uOQ=
X-Google-Smtp-Source: AGHT+IGBMAZbvqvoVwRANlyLsVyTdBivfI3qJyvQ5RboqnDt7EBF1HiK5g2mo3GgKnf09idS3HhYnLRO5GJH3FUyZxQ=
X-Received: by 2002:a05:6830:90e:b0:70f:36ff:ed09 with SMTP id 46e09a7af769-710cc26e87emr8935684a34.28.1725779667381; Sun, 08 Sep 2024 00:14:27 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0c=GFSsZm01jgtE9Xu5_BKhbpD8ZDxKUhv+ebxT3EJMHuw@mail.gmail.com>
In-Reply-To: <CACsn0c=GFSsZm01jgtE9Xu5_BKhbpD8ZDxKUhv+ebxT3EJMHuw@mail.gmail.com>
From: Loganaden Velvindron <loganaden@gmail.com>
Date: Sun, 08 Sep 2024 11:14:15 +0400
Message-ID: <CAOp4FwQeZZAhjay9=TqEnfoAWVQMO_SgA37xbkbH6zAxdX63Sw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: UGBE6HL7Y25PMTSVZ2463THBJR7UXFF7
X-Message-ID-Hash: UGBE6HL7Y25PMTSVZ2463THBJR7UXFF7
X-MailFrom: loganaden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF SAAG <saag@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [saag] Re: The curve mess, and lessons for more crypto
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/2S5lTElpbcwrmt8mDyHo6j1jsCU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

On Sun, 8 Sept 2024 at 02:35, Watson Ladd <watsonbladd@gmail.com> wrote:
>
> Dear all,
>
> For the past 9 years we've all tried to forget the fiasco that was the
> process leading up to the publication of RFC 7745. It ruined several
> collegial relationships: I understand some people don't talk to each
> other as a result. It made academics afraid to talk to the IETF,
> leading to issues for working groups like TLS. And as we realize that
> the current situation with ciphersuite registration and ordinary
> crypto RFCs is untenable for the CFRG and other groups, we've not
> really talked about the lessons to learn from it.
>
> I'm going to set forth what I think are the lessons: I understand
> people may disagree. I'm going to endevor not to rehash what was many,
> many emails over 3 years, but the end result was that the curves in
> the original draft "won" while some other proposals went no where, and
> the Brainpool curves still have registrations.
>
> To my mind the fundamental lesson is that the IETF/IRTF consensus
> model does not do well when one proposal must win. Furthermore, as we
> aren't the protocol police, winning doesn't actually do much to
> advance what happens or change the Internet. Therefore we should avoid
> having contests and choose to let participants in the ecosystem decide
> what of several equivalent proposals will survive. This suggests being
> much more lax about WGs introducing crypto proposals and selecting
> them than some views I've heard expressed, because we really cannot
> effectively say no, and saying "only one must survive" does a lot of
> damage.
>
It's pretty clear that de facto adoption is happening for some curves.

(e.g: https://github.com/apache/mina-sshd/commit/4f2ccf885292adde1d3a0d5f9abd9fb513b07688)

usage of sntrup761x25519-sha512@openssh.com is likely to increase over time ...