IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-curve25519-00.txt

Dave Garrett <davemgarrett@gmail.com> Mon, 15 June 2015 20:33 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C06D1A8AAA for <tls@ietfa.amsl.com>; Mon, 15 Jun 2015 13:33:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nWbkr-9DMJya for <tls@ietfa.amsl.com>; Mon, 15 Jun 2015 13:33:30 -0700 (PDT)
Received: from mail-qc0-x234.google.com (mail-qc0-x234.google.com [IPv6:2607:f8b0:400d:c01::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DFC21A8A8D for <tls@ietf.org>; Mon, 15 Jun 2015 13:33:30 -0700 (PDT)
Received: by qcej3 with SMTP id j3so9998799qce.3 for <tls@ietf.org>; Mon, 15 Jun 2015 13:33:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=do6SjepwxeelQk9xTqOvvSdzmwNaOiU3YEzktFhB9RE=; b=XQZSffNa6qPDawLPbKIF6wi/nZVHD2UAiar1/pVlT9kxXal7mgvyLJMv6XGbgzESxD dekibrk1PxBLaqgN5RajSVDrtG1s1Krqbd5/ii+q2KaeuMFAP57ZKXWLCrQx0Mfpw6Zx Odisu3jmGwhytxBZnnVGLXjlx8KYPXClp/YBFKYFJvwHTczEp2EcROgZ4LAT0SsVTWhs QBHOoMuLOsHf8eMMWMSBmZN/fsT3RAQZBNyCToC9MqxUbTB9q5rvsIFDzOPz8AmbltLK Rtt4FRjCUhxcZQO/bzciPlbr6Da9vIvnEnRkBg/heJjMFAftRyfKJ/JB0rXeJj1cEqXJ OSuA==
X-Received: by 10.55.52.12 with SMTP id b12mr62223296qka.22.1434400409740; Mon, 15 Jun 2015 13:33:29 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id c38sm6900385qgd.33.2015.06.15.13.33.29 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 15 Jun 2015 13:33:29 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Mon, 15 Jun 2015 16:33:27 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <20150612180230.4804.45802.idtracker@ietfa.amsl.com> <20150615130345.GJ14121@mournblade.imrryr.org> <CABkgnnW2RF+Ft73TVs95pDe-CxmF0M_KipdEcvRzQbzRkHks1g@mail.gmail.com>
In-Reply-To: <CABkgnnW2RF+Ft73TVs95pDe-CxmF0M_KipdEcvRzQbzRkHks1g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201506151633.28010.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/2Ahap-mgffbT80Y8MWAl55CmiWQ>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-curve25519-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2015 20:33:32 -0000

On Monday, June 15, 2015 12:57:50 pm Martin Thomson wrote:
> I'm saying that we need one named_curve for 25519 + ECDH and another
> for Ec25519 + "ECDSA".

Related issue:
"Add ability to negotiate curves for ECDHE independently of curves for ECDSA signatures #162"
https://github.com/tlswg/tls13-spec/issues/162

https://tlswg.github.io/tls13-spec/#negotiated-groups

The simple solution would just be to just fork all codepoints into separate ECDH & ECDSA versions. (except the 10 or so <100-bit security level ones that should just get dropped) If this already effectively needs to be done for Curve25519, then doing it for all at seems like the most straightforward route. There's enough bits available that the high bit could just be used to indicate ECDSA-only, all the new ones could just be old+0x8000, and they'd be easy to distinguish from each other as-needed.


Dave

v2.23.0 | Report a Bug | By Email