Re: [secdir] I-D Action: draft-harkins-brainpool-ike-groups-00.txt
"Dan Harkins" <dharkins@lounge.org> Tue, 28 August 2012 15:48 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4478E21F851C for <secdir@ietfa.amsl.com>; Tue, 28 Aug 2012 08:48:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.219
X-Spam-Level:
X-Spam-Status: No, score=-6.219 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3TZDr8rCkb9 for <secdir@ietfa.amsl.com>; Tue, 28 Aug 2012 08:48:17 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 9D2EE21F851B for <secdir@ietf.org>; Tue, 28 Aug 2012 08:48:17 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 28CAE1022404A; Tue, 28 Aug 2012 08:48:17 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 28 Aug 2012 08:48:17 -0700 (PDT)
Message-ID: <f78fae22050825d0da20c332fc4136d4.squirrel@www.trepanning.net>
In-Reply-To: <DDAF3F15-4C72-4CC9-AC4D-29D7496A7BD3@mimectl>
References: <20120809010519.15222.89232.idtracker@ietfa.amsl.com> <503CAA6F.30302@ieca.com> <9035196F-001D-4E15-B6D6-30B59BEBBB01@cs.tcd.ie>, <73F8581B-716F-4466-8F6B-645206789C5E@checkpoint.com> <DDAF3F15-4C72-4CC9-AC4D-29D7496A7BD3@mimectl>
Date: Tue, 28 Aug 2012 08:48:17 -0700
From: Dan Harkins <dharkins@lounge.org>
To: "Polk, William T." <william.polk@nist.gov>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "dharkins@arubanetworks.com" <dharkins@arubanetworks.com>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] I-D Action: draft-harkins-brainpool-ike-groups-00.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2012 15:48:18 -0000
Hi Tim, On Tue, August 28, 2012 7:28 am, Polk, William T. wrote: > hi Dan, > > Thanks for getting this work underway. > > First observation: I think a reference to RFC 6090 is warranted. Yes, good point. I'll add a reference to it at the start of section 2 where the equation for the curves is noted. > Second Observation: 80 bit crypto is on its last legs. Do we really need > to specify curves with less than 112 bit strength? There is the notion that "if it's worth protecting, it's worth protecting properly" and I'm not sure of the current usefulness of 80-bit crypto but this is more for completeness. The Brainpool defined them and I'm just asking for a magic numbers to be assigned to all the defined curves. That also is the the answer to the "14 code points, oh my!" comments. Note that we still have over 32,000 code points available so we're talking about taking 4/100th of 1%. > Third Observation: The security considerations section does not address > the security strength of 192 or 384 bit curves. It feels incomplete, > although I guess most readers can work it out for themselves. I refer the reader to RFC 5639 which mentions the security considerations of the curves. If you like I can also mention something about how the best known attacks run on the order of the square root of the order. Would that be satisfactory? > General observation: my experience is that specifying so many curves > dilutes implementer enthusiasm. We finally started to get some interest > in ECC support for FIPS 201 when we pared the list down from six curves in > three families to two prime curves (P-256 and P-384). That is a very good observation. I guess we should talk to the Brainpool. Their consortium seems to have some large and important companies in it. The concern is that one of the members would promote the use of a particular curve in some operational or regulatory fashion and it's important that the users of the IKEv1 registry be able to work anywhere. > Specifying two alternatives for each security level feels like an > implementer's nightmare. Are Brainpool implementations general enough to > handle the normal and twisted curves at a particular level? If the > implementations are agnostic, maybe that should get noted in yout > insecurity considerations. You're right, it is a nightmare! As it turns out quite a few of my test vectors are wrong. I think implementations will be agnostic and I will mention agnosticism. thanks for your comments! Dan. > Tim > > ________________________________ > From: secdir-bounces@ietf.org [secdir-bounces@ietf.org] On Behalf Of Yoav > Nir [ynir@checkpoint.com] > Sent: Tuesday, August 28, 2012 7:52 AM > To: Stephen Farrell > Cc: secdir@ietf.org > Subject: Re: [secdir] I-D Action: > draft-harkins-brainpool-ike-groups-00.txt > > > On Aug 28, 2012, at 2:31 PM, Stephen Farrell wrote: > >> >> >> On 28 Aug 2012, at 12:24, Sean Turner <turners@ieca.com> wrote: >> >>> BTW - Dan's submitted a draft about the topic we had in Vancouver. >>> Comments are welcome. >> >> I've one: I didn't realize Dan wanted 14 code points. That seems a lot. > > BTW: Johannes Merkle submitted > http://tools.ietf.org/html/draft-merkle-ikev2-ke-brainpool-00 that > requests points for the same curves for IKEv2. > > I'm wondering if we really need 7 different strengths as opposed to, say, > 3, and whether we need both a twisted and non-twisted variation for each. > Neither document discusses the why one would prefer the twisted to the > non-twisted variant, or the non-twisted to the twisted. RFC 5639 does not > give such considerations either, but documents that relate to protocols > should IMO. > > Yoav > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview >
- [secdir] Fwd: I-D Action: draft-harkins-brainpool… Sean Turner
- Re: [secdir] Fwd: I-D Action: draft-harkins-brain… Stephen Farrell
- Re: [secdir] I-D Action: draft-harkins-brainpool-… Yoav Nir
- Re: [secdir] I-D Action: draft-harkins-brainpool-… Polk, William T.
- Re: [secdir] I-D Action: draft-harkins-brainpool-… Dan Harkins
- Re: [secdir] I-D Action: draft-harkins-brainpool-… Yaron Sheffer
- Re: [secdir] [IPsec] I-D Action: draft-harkins-br… Dan Harkins
- Re: [secdir] [IPsec] I-D Action: draft-harkins-br… Paul Hoffman
- Re: [secdir] [IPsec] I-D Action: draft-harkins-br… Dan Harkins
- Re: [secdir] Fwd: I-D Action: draft-harkins-brain… Tero Kivinen
- Re: [secdir] [IPsec] I-D Action: draft-harkins-br… Tero Kivinen
- Re: [secdir] Fwd: I-D Action: draft-harkins-brain… Donald Eastlake