Re: [stir] Stephen Farrell's Discuss on draft-ietf-stir-passport-10: (with DISCUSS)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 04 November 2016 22:45 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9B431299C2; Fri, 4 Nov 2016 15:45:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.798
X-Spam-Level:
X-Spam-Status: No, score=-5.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wVA7oULlDgi4; Fri, 4 Nov 2016 15:45:51 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B04251299AA; Fri, 4 Nov 2016 15:45:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0167CBE5B; Fri, 4 Nov 2016 22:45:48 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bXjzTFVORqop; Fri, 4 Nov 2016 22:45:46 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 9C0E0BE56; Fri, 4 Nov 2016 22:45:45 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1478299546; bh=P7IDhHHI6bhvuo7PZ++2TrYYvvIpmBHDzWD6UaRZUCM=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=c+2xjyzBQbQLWKL1PnCGgctpDFe5r+AOgaGRui3AOVFhIaOM00UUsbnjAitZFfZju 5KBBxu2qGmLiKOhSm18UDikoXQ1AliLimRfEAVd/4FAc2gbhtO1RLnQ0EYW5ewE8OL F0igiyOpmOwbbQuHVv/4x2jRb0Q3gjlLR7g1R0aE=
To: Chris Wendt <chris-ietf@chriswendt.net>, Eric Burger <eburger@standardstrack.com>
References: <147813889365.24118.12619854983152878871.idtracker@ietfa.amsl.com> <CEF5F03E-023A-4A52-B64E-E336FC2E2977@chriswendt.net> <1E70EB66-4F9A-45FD-BFFE-086435939AC6@standardstrack.com> <78D6C6D9-9782-47FA-8E82-6C6A38C131A2@chriswendt.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <d5d49cc0-5399-f113-e11b-0662b5d81f23@cs.tcd.ie>
Date: Fri, 04 Nov 2016 22:45:45 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <78D6C6D9-9782-47FA-8E82-6C6A38C131A2@chriswendt.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms010600050207010401030806"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/Gq2MZCIzCWzs0N-Co1eGBJEBaI0>
Cc: IETF STIR Mail List <stir@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [stir] Stephen Farrell's Discuss on draft-ietf-stir-passport-10: (with DISCUSS)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2016 22:45:54 -0000
Hiya, On 04/11/16 19:18, Chris Wendt wrote: > “hobble” is a hugely inappropriate term. Well, arguably so is "hugely inappropriate" :-) I'd agree though that hobble is a teeny bit overstated. I think Eric does have a point though that STIR involves a chunk of new code so the problems aren't as bad as in other situations. I'd also encourage the WG to maybe look some more - as I said in the case of COSE, recent findings were that deterministic ECDSA was available in most crypto libraries now. That might not yet have percolated up to higher level libraries I guess (though last I looked neither had ECDSA, but it's been a while). Nonetheless that doesn't stop you saying something like: "Signers SHOULD use deterministic ECDSA if/when supported in their development environment for the reasons stated in [RFC6979]." As you said, verifiers don't need to care and I think the above is also painless for those writing signing code, but does give better guidance. Sound reasonable? Cheers, S. > > I’m not seeing any huge push to move to deterministic ECDSA although > to be frank i won’t claim to be in the middle of this issue either. > > Seems to me, if deterministic ECDSA becomes the preferred/default > implementation, then problem solved and we didn’t have to change > anything because both are compatible with each other from a signature > validation point of view. > > >> On Nov 4, 2016, at 2:58 PM, Eric Burger >> <eburger@standardstrack.com> wrote: >> >> I would offer saying that the limited, but existing, availability >> of deterministic ECDSA is a barrier to widespread adoption barriers >> for STIR is a non-issue. We are not talking about how to update 300 >> different browser-OS-hardware combinations in the wild where 15% >> are running Mosaic on WindowsXP. We are talking about code that has >> yet to be written. As such, there is no reason to effectively say >> “strong security is not important if the alternative is no >> security” or “we cannot get the major browser players to adopt our >> approach because OpenSSL does not implement the feature.” >> >> Rather, given all this code is being written *today*, there is >> absolutely no reason to hobble STIR before it launches. >> >>> On Nov 4, 2016, at 11:29 AM, Chris Wendt >>> <chris-ietf@chriswendt.net> wrote: >>> >>> Hi Stephen, >>> >>> As Jon mentioned, we can’t claim to have spent time on this, but >>> I did look at over the past two days and discussed it with some >>> of the relevant security folks and I think this would be our >>> position: >>> >>> The main concern around not using deterministic ECDSA is that you >>> “may” have bad random number generators as an input K, and >>> therefore may have some way of looking at patterns and finding >>> exploits perhaps for a given signature. >>> >>> I did a brief survey of popular packages used as part of popular >>> server side languages, golang, java, python, and only found a >>> single mention of python package last updated in early 2015 >>> implementing RFC6979/deterministic ECDSA. >>> >>> Given the availability of solid implementations of RFC6979, I >>> would say we have a big hurdle here to getting acceptance and >>> usage of STIR/passport by implementation providers, and i would >>> have a personal concern that we may force folks to use less >>> tested and less accepted implementations of ECDSA and therefore >>> potentially reduce security from a completely different angle. >>> >>> For the initial deployment of STIR, most implementations are >>> going to be server side in any case where there is less concern >>> about bad random number generation. So i think we are covered >>> until and unless deterministic ECDSA becomes more widely adopted. >>> For the point when smart phones may start doing STIR signatures, >>> perhaps because they are becoming as powerful as PCs, their >>> random generators if they don’t already (i suspect) will provide >>> acceptable security in the signatures as well. >>> >>> One thing i could do in the passport document is have an >>> informative note to talk about this concern and if you are >>> implementing passport signatures on devices without proper random >>> number generation capabilities you may want to consider >>> implementing RFC6979. Signatures that are produced by normal >>> ECDSA and deterministic ECDSA are compatible so there shouldn’t >>> be any concern there. >>> >>> Would that be acceptable? Or after the above discussion do you >>> think that is necessary? >>> >>> Thanks. >>> >>> -Chris >>> >>> >>>> On Nov 2, 2016, at 10:08 PM, Stephen Farrell >>>> <stephen.farrell@cs.tcd.ie> wrote: >>>> >>>> Stephen Farrell has entered the following ballot position for >>>> draft-ietf-stir-passport-10: Discuss >>>> >>>> When responding, please keep the subject line intact and reply >>>> to all email addresses included in the To and CC lines. (Feel >>>> free to cut this introductory paragraph, however.) >>>> >>>> >>>> Please refer to >>>> https://www.ietf.org/iesg/statement/discuss-criteria.html for >>>> more information about IESG DISCUSS and COMMENT positions. >>>> >>>> >>>> The document, along with other ballot positions, can be found >>>> here: >>>> https://datatracker.ietf.org/doc/draft-ietf-stir-passport/ >>>> >>>> >>>> >>>> ---------------------------------------------------------------------- >>>> >>>> DISCUSS: >>>> ---------------------------------------------------------------------- >>>> >>>> >>>> >>>> Deterministic ECDSA (RFC6979) gets rid of a significant weakness >>>> with ECDSA. IIRC when JOSE was done there was a feeling that >>>> adding a MUST or SHOULD for that was tricky due to lack of >>>> support in libraries. When we recently re-checked for COSE, the >>>> answer was that today, it's ok to have that as a MUST or >>>> SHOULD. (If some kind of FIPS-140 stuff precludes a MUST, then >>>> a "SHOULD unless you're sad enough to be stuck having to pay >>>> lip lipservice to FIPS-140" clause might be right. So the >>>> DISCUSS point here is: given the real-world demonstrated >>>> weakness inherent in the need for an RNG in ECDSA why didn't >>>> the WG choose to at least RECOMMEND deterministic ECDSA? (Or >>>> better, make it a MUST.) >>>> >>>> If the answer is: "we thought about it [ref] and decided to not >>>> require deterministic" then I'll clear. But even if the WG did >>>> consider it a couple of years ago, the situation may have >>>> changed so a quick re-think might be worthwhile. >>>> >>>> >>>> >>>> >>> >>> _______________________________________________ stir mailing >>> list stir@ietf.org https://www.ietf.org/mailman/listinfo/stir >> >> _______________________________________________ stir mailing list >> stir@ietf.org https://www.ietf.org/mailman/listinfo/stir > > _______________________________________________ stir mailing list > stir@ietf.org https://www.ietf.org/mailman/listinfo/stir >
- [stir] Stephen Farrell's Discuss on draft-ietf-st… Stephen Farrell
- Re: [stir] Stephen Farrell's Discuss on draft-iet… Peterson, Jon
- Re: [stir] Stephen Farrell's Discuss on draft-iet… Chris Wendt
- Re: [stir] Stephen Farrell's Discuss on draft-iet… Eric Burger
- Re: [stir] Stephen Farrell's Discuss on draft-iet… Chris Wendt
- Re: [stir] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [stir] Stephen Farrell's Discuss on draft-iet… Chris Wendt
- Re: [stir] Stephen Farrell's Discuss on draft-iet… Chris Wendt