IETF Logo Mail Archive

Re: [stir] Stephen Farrell's Discuss on draft-ietf-stir-passport-10: (with DISCUSS)

Chris Wendt <chris-ietf@chriswendt.net> Fri, 04 November 2016 19:19 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 015CC129658 for <stir@ietfa.amsl.com>; Fri, 4 Nov 2016 12:19:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bMy85G0zs6sZ for <stir@ietfa.amsl.com>; Fri, 4 Nov 2016 12:19:01 -0700 (PDT)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 285BC129656 for <stir@ietf.org>; Fri, 4 Nov 2016 12:19:01 -0700 (PDT)
Received: by mail-qt0-x22a.google.com with SMTP id w33so54285219qtc.3 for <stir@ietf.org>; Fri, 04 Nov 2016 12:19:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=dIcpBYxnqhCht+jDGAvEyUO0jBscIL7xD4qiFdfAk/w=; b=oCjibiDF/7ZoWLqRjr+uikoOCVwRdZ+XXm7Cjgd5VA8HndP0+fe+zm/EjosIXF1nQR nAwAU5VH0fHJ+hw6lNfsdqUm+yHjQ5D96e2tShUxR/WZZyO4EC6SRt62akVHmdtwsvvi 6yITWthE1C6an60DibB8JFkB+2d9cBk/JbbnAzz4DRRrLHzofXnV0d0Q3EIWEtadLD6o mR9ERl0CSrO9brGRPdso8AEp9TSyUKiAJtohkZVeXxT2TZ9K6QBoFZxoinSY+U1ZNoCm cDHVe4hZ5YJcI96PSuvZFDFh10qzRQIScYPrOO4zpSTeubWRw4+dLwaM+QTnYALlYs/E kKyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=dIcpBYxnqhCht+jDGAvEyUO0jBscIL7xD4qiFdfAk/w=; b=NSXbth9hZSTyZTDSV4doCLJ0l+WXJ7114k7m6hZ88EqJ7inqpsAhDQF4rH++bAsS+D A/mvvywphAHKefBaodvu7MT9xyeBmUsHA0LBZGnxN5Da2ogdKkPAjNojUvFn3I5k+Gcd hloTRh7UCKqvw0CVxm67RFl4dprJiX2ZoZigPGnynAgT9rg9O8Z3huhd5L412IZF2Hbg X5m578nhJicXEmnNLCekSzJR98U4nJE5CcRIBzRXEPEZGacoH0GO0Ees8Df6/ZNnjQMF R+blCu1qOhV6Rftz8EQwwoVT+Q5RJmNR2j6yj5DJBO3nVeuXasO7FwRU72u9e5xhi/Sr ev1Q==
X-Gm-Message-State: ABUngvcrq00jsSU7Jicy8M+D8/i3egG/Mdus7k/itlpmUsja9Cit7YHZHWQlT4XOM67djQ==
X-Received: by 10.237.48.37 with SMTP id 34mr15655886qte.111.1478287140166; Fri, 04 Nov 2016 12:19:00 -0700 (PDT)
Received: from [172.31.99.102] (96-83-244-75-static.hfc.comcastbusiness.net. [96.83.244.75]) by smtp.gmail.com with ESMTPSA id a54sm8360044qta.49.2016.11.04.12.18.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Nov 2016 12:18:59 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <1E70EB66-4F9A-45FD-BFFE-086435939AC6@standardstrack.com>
Date: Fri, 04 Nov 2016 15:18:58 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <78D6C6D9-9782-47FA-8E82-6C6A38C131A2@chriswendt.net>
References: <147813889365.24118.12619854983152878871.idtracker@ietfa.amsl.com> <CEF5F03E-023A-4A52-B64E-E336FC2E2977@chriswendt.net> <1E70EB66-4F9A-45FD-BFFE-086435939AC6@standardstrack.com>
To: Eric Burger <eburger@standardstrack.com>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/KIjkVjk1Zc_2C1l9m_vizPttue4>
Cc: IETF STIR Mail List <stir@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [stir] Stephen Farrell's Discuss on draft-ietf-stir-passport-10: (with DISCUSS)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2016 19:19:14 -0000

“hobble” is a hugely inappropriate term.

I’m not seeing any huge push to move to deterministic ECDSA although to be frank i won’t claim to be in the middle of this issue either.

Seems to me, if deterministic ECDSA becomes the preferred/default implementation, then problem solved and we didn’t have to change anything because both are compatible with each other from a signature validation point of view.


> On Nov 4, 2016, at 2:58 PM, Eric Burger <eburger@standardstrack.com> wrote:
> 
> I would offer saying that the limited, but existing, availability of deterministic ECDSA is a barrier to widespread adoption barriers for STIR is a non-issue. We are not talking about how to update 300 different browser-OS-hardware combinations in the wild where 15% are running Mosaic on WindowsXP. We are talking about code that has yet to be written. As such, there is no reason to effectively say “strong security is not important if the alternative is no security” or “we cannot get the major browser players to adopt our approach because OpenSSL does not implement the feature.”
> 
> Rather, given all this code is being written *today*, there is absolutely no reason to hobble STIR before it launches.
> 
>> On Nov 4, 2016, at 11:29 AM, Chris Wendt <chris-ietf@chriswendt.net> wrote:
>> 
>> Hi Stephen,
>> 
>> As Jon mentioned, we can’t claim to have spent time on this, but I did look at over the past two days and discussed it with some of the relevant security folks and I think this would be our position:
>> 
>> The main concern around not using deterministic ECDSA is that you “may” have bad random number generators as an input K, and therefore may have some way of looking at patterns and finding exploits perhaps for a given signature.
>> 
>> I did a brief survey of popular packages used as part of popular server side languages, golang, java, python, and only found a single mention of python package last updated in early 2015 implementing RFC6979/deterministic ECDSA.
>> 
>> Given the availability of solid implementations of RFC6979, I would say we have a big hurdle here to getting acceptance and usage of STIR/passport by implementation providers, and i would have a personal concern that we may force folks to use less tested and less accepted implementations of ECDSA and therefore potentially reduce security from a completely different angle.
>> 
>> For the initial deployment of STIR, most implementations are going to be server side in any case where there is less concern about bad random number generation.  So i think we are covered until and unless deterministic ECDSA becomes more widely adopted.  For the point when smart phones may start doing STIR signatures, perhaps because they are becoming as powerful as PCs, their random generators if they don’t already (i suspect) will provide acceptable security in the signatures as well.
>> 
>> One thing i could do in the passport document is have an informative note to talk about this concern and if you are implementing passport signatures on devices without proper random number generation capabilities you may want to consider implementing RFC6979.  Signatures that are produced by normal ECDSA and deterministic ECDSA are compatible so there shouldn’t be any concern there.
>> 
>> Would that be acceptable?  Or after the above discussion do you think that is necessary?
>> 
>> Thanks.
>> 
>> -Chris
>> 
>> 
>>> On Nov 2, 2016, at 10:08 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>>> 
>>> Stephen Farrell has entered the following ballot position for
>>> draft-ietf-stir-passport-10: Discuss
>>> 
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>> 
>>> 
>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>> 
>>> 
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-stir-passport/
>>> 
>>> 
>>> 
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>> 
>>> 
>>> Deterministic ECDSA (RFC6979) gets rid of a significant weakness
>>> with ECDSA. IIRC when JOSE was done there was a feeling that adding a
>>> MUST or SHOULD for that was tricky due to lack of support in
>>> libraries. When we recently re-checked for COSE, the answer was
>>> that today, it's ok to have that as a MUST or SHOULD. (If some
>>> kind of FIPS-140 stuff precludes a MUST, then a "SHOULD unless
>>> you're sad enough to be stuck having to pay lip lipservice to
>>> FIPS-140" clause might be right. So the DISCUSS point here is:
>>> given the real-world demonstrated weakness inherent in the need
>>> for an RNG in ECDSA why didn't the WG choose to at least RECOMMEND
>>> deterministic ECDSA? (Or better, make it a MUST.)
>>> 
>>> If the answer is: "we thought about it [ref] and decided to not require
>>> deterministic" then I'll clear. But even if the WG did consider it
>>> a couple of years ago, the situation may have changed so a quick
>>> re-think might be worthwhile.
>>> 
>>> 
>>> 
>>> 
>> 
>> _______________________________________________
>> stir mailing list
>> stir@ietf.org
>> https://www.ietf.org/mailman/listinfo/stir
> 
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email