Re: [secdir] a few new algs and a bunch of deprecation
Simon Josefsson <simon@josefsson.org> Wed, 04 November 2015 11:02 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 669FD1B2D61 for <secdir@ietfa.amsl.com>; Wed, 4 Nov 2015 03:02:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2eOA_rkh8xHX for <secdir@ietfa.amsl.com>; Wed, 4 Nov 2015 03:02:47 -0800 (PST)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99C8E1B2D62 for <secdir@ietf.org>; Wed, 4 Nov 2015 03:02:46 -0800 (PST)
Received: from iller (c-c5b7e355.014-1001-73746f1.cust.bredbandsbolaget.se [85.227.183.197]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tA4B2QVV023008 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 4 Nov 2015 12:02:27 +0100
Message-ID: <1446634943.26563.23.camel@josefsson.org>
From: Simon Josefsson <simon@josefsson.org>
To: Yoav Nir <ynir.ietf@gmail.com>
Date: Wed, 04 Nov 2015 12:02:23 +0100
In-Reply-To: <5113E79E-D8DA-4B19-A730-2EDC58FCE41A@gmail.com>
References: <56383A36.3020200@cs.tcd.ie> <20151103095611.33a536b9@latte.josefsson.org> <5113E79E-D8DA-4B19-A730-2EDC58FCE41A@gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-vCq36tUWAdurqQYTK6dc"
X-Mailer: Evolution 3.12.9-1+b1
Mime-Version: 1.0
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/oxJntUQFCnOWEnUl2noICiUq6oA>
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] a few new algs and a bunch of deprecation
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 11:02:49 -0000
tis 2015-11-03 klockan 21:48 +0900 skrev Yoav Nir: > > On 3 Nov 2015, at 5:56 PM, Simon Josefsson <simon@josefsson.org> wrote: > > > > I'm following Curve25519/Ed25519 use in IETF protocols and is > > interested in helping that effort. It seems the intersection between > > this putative WG and existing WGs needs to be carefully explained > > though, it isn't clear to me how it could be done. Isn't deprecating > > crypto parts of a protocol up to each protocol community to think > > about? We've seen with TLS, OpenPGP, Secure Shell and PKIX that > > adding Curve25519/Ed25519 is highly protocol specific and requires > > domain knowledge. > > My take on this is the exact opposite. We’ve added ChaCha20/Poly1305 to SSH and TLS and IPsec. Same algorithm in all three (yes, I know SSH uses the old construction). > > We’re adding Curve25519/Ed25519 to SSH and TLS and IKE and PGP and PKIX. Same algorithm for all of them. Curve25519/Ed25519 will be published through CFRG so the algorithm description is covered there -- but the integration into each protocol proved to contain protocol-specific differences and considerations. I'm concerned that a separate WG will get such details wrong, or will have confusing overlap with any established WG. For ChaCha20/Poly1305 I agree, but it it is a simple add-in for any protocol that supports AEAD constructs. > Is it safe to use SHA-1 in signatures? Regardless of what you think the answer is, it is the same in TLS and PGP and IKE and SSH and PKIX. > > I think the best thing with such algorithms is to have guidance documents from either CFRG or Security AD-sponsored, and then have the separate protocol documents be little more than code point allocations. I agree. What do you see a putative WG doing then? Code point allocation discussion typically happens in each protocol WG, if there is any. For Secure Shell and PKIX where there aren't active WGs, I suppose Security AD-sponsored would work. Saying that you MUST NOT rely on SHA1 to provide collision resistance is an obvious document to publish (isn't there one already?), but I'm not sure it needs a WG around it. /Simon
- [secdir] a few new algs and a bunch of deprecation Stephen Farrell
- Re: [secdir] a few new algs and a bunch of deprec… Simon Josefsson
- Re: [secdir] a few new algs and a bunch of deprec… Yoav Nir
- Re: [secdir] a few new algs and a bunch of deprec… Stephen Farrell
- Re: [secdir] a few new algs and a bunch of deprec… Simon Josefsson
- Re: [secdir] a few new algs and a bunch of deprec… Stephen Farrell