Re: [secdir] Secdir review of draft-herzog-static-ecdh-05

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

On 17/03/11 01:23, Herzog, Jonathan - 0668 - MITLL wrote:
> 
> I apologize-- when you mentioned this before, I thought you were merely curious about our motivations. I didn't realize that you were suggesting/requesting additional discussion of the topic in the Draft. But your point about this feature of static-static ECDH is well-taken. If you think that it would serve the reader for the document to discuss this, then it should clearly be discussed. I'm not exactly sure what the protocol is for making changes this close to the scheduled discussion, but we would be happy to add a paragraph to the Security Considerations along the lines of:
> 
> 
> "When two parties are communicating using static-static ECDH as described in this document, and either party's asymmetric keys have been centrally generated, it is possible for that party's central infrastructure to decrypt the communication (for application-layer network monitoring or filtering, for example). By way of contrast: were ephemeral-static ECDH to be used instead, such decryption would not be possible by the sender's infrastructure (though it would remain possible for the infrastructure of any recipient.)"
> 
> 
> Thoughts?

Looks fine to me. With an addition like that I'd have no
problem with this.

Formally, I guess just wait and see what the IESG say about
the doc and then update as appropriate. Adding a paragraph
like the above shouldn't be an issue in any event I'd say.

Thanks,
S.

> 
> On Mar 16, 2011, at 8:36 PM, Stephen Farrell wrote:
> 
>>
>> I had a quick look at the -06 version.
>>
>> It still doesn't call out what I think is the real functional
>> difference between static-static (s-s) and ephemeral-static (e-s)
>> which is that with centrally generated private values s-s allows
>> an outbound application layer gateway to decrypt and filter
>> traffic before it leaves the "key generating" domain. With e-s
>> and signing keys, which are the alternative, that is not possible.
>>
>> Some people would like exactly that as a feature. Others would
>> consider it anathema. I think this ought be explicitly called out
>> in the text so that someone who cares doesn't pick the scheme
>> the don't like by accident.
>>
>> S.
>>
>> On 16/03/11 23:58, Sean Turner wrote:
>>> On 3/10/11 4:02 PM, Herzog, Jonathan - 0668 - MITLL wrote:
>>>>
>>>> On Mar 9, 2011, at 5:49 PM, Stephen Farrell wrote:
>>>
>>> ..snip
>>>
>>>> Sean Turner has graciously agreed to step in and handle the IPR issues
>>>> of this draft, so I'll let him address this.
>>>
>>> I submitted a 3rd party IPR statement at 6pm.  I should have done it but
>>> forgot.  It's the same ol' Certicom IPR.  I submitted the same 3rd party
>>> earlier on another draft that mentioned EC algs.
>>>
>>> spt
>>>
> 
>