Re: [TLS] [Cfrg] Citing specs in specs

Watson Ladd <watsonbladd@gmail.com> Fri, 14 March 2014 06:41 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3C4C1A005E for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 23:41:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lw4ZU97g6hfJ for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 23:41:45 -0700 (PDT)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 4151F1A0058 for <tls@ietf.org>; Thu, 13 Mar 2014 23:41:45 -0700 (PDT)
Received: by mail-yk0-f172.google.com with SMTP id 200so5641296ykr.3 for <tls@ietf.org>; Thu, 13 Mar 2014 23:41:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KeJDKJbh97JxnYvtqJ/jdevqBlEzv3mwKVebMWf5ywM=; b=qk/WLAwBZklYe3Nh7yYMivXVr7BHzN1gxrQdr86gPO67oHk+cmVZlF2rV975JHo5Bu M2/8loxdz/9Oa6fdkKh+nna5tPislI/ximsWkI1pskFrj3Wy2MiUudqq+fmBvOqI5jyH RQi1neEME4E8LJWEjQnr5Wz92gQTConSwVqamjUbNSduK98tlYQTXxPBA1syp6GsOi0Z Z0dfNpDKUauoE9c4Q4379p2RtpUlabnJ4iaCS9Medo3vf3WEWeL5EJFMD2jG8VLaLwgt reB59NVfJ7nz7g71Jq17sbN8QUN/5Hbwkxt+ivCU35U0Mx0ncTbX8SML5DVvwdQtBzK2 AivA==
MIME-Version: 1.0
X-Received: by 10.236.131.163 with SMTP id m23mr8191169yhi.61.1394779298439; Thu, 13 Mar 2014 23:41:38 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Thu, 13 Mar 2014 23:41:38 -0700 (PDT)
In-Reply-To: <CF47E638.3591A%paul@marvell.com>
References: <530FDC7A.4060404@cisco.com> <CABqy+srTqCXjOR4DMNgWyxf2pZ7dwZfWyznhBuJaY5w8VeuR4Q@mail.gmail.com> <5310B12E.4070603@cisco.com> <CABqy+srrbtdHOckjPqTj5SFuQwQEqXBjgc8kwagMi8E6ZRf=qg@mail.gmail.com> <28A7736F-A791-4552-8D42-DB99AC7B7F9B@vpnc.org> <CF37EA5F.338D8%paul@marvell.com> <CACsn0cmewBrOzaRF5XXC1p1A_gUSwkdE1_7V-1x8nta-ESyA+A@mail.gmail.com> <CF38F2D4.33940%paul@marvell.com> <2A0EFB9C05D0164E98F19BB0AF3708C711EF97AD05@USMBX1.msg.corp.akamai.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B8516C6E@SC-VEXCH2.marvell.com> <7A2637AF-5A16-404B-B7A1-49FB17D5345A@callas.org> <CF3B846F.3415E%paul@marvell.com> <CACsn0cnyvkD1X5JDPJaoB83jZeFrj=uugMmWG9nPB+4jaC+POw@mail.gmail.com> <CF3BC8BA.34258%paul@marvell.com> <CACsn0c=OBvLfG+Sv1vYbhF9F6+mYSoYEji3SUtUzd7ZLP0fXHw@mail.gmail.com> <5317065E.1090007@cisco.com> <CF47E638.3591A%paul@marvell.com>
Date: Thu, 13 Mar 2014 23:41:38 -0700
Message-ID: <CACsn0cnC+-9P+tLbVot25WnJbXCubJPCbR5qAzFkYgBL1ARArA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Paul Lambert <paul@marvell.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2kYEVHAPZW2xytRUI7kf7Teg1kw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Jon Callas <jon@callas.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [Cfrg] Citing specs in specs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2014 06:41:48 -0000

On Thu, Mar 13, 2014 at 10:56 PM, Paul Lambert <paul@marvell.com> wrote:
>
>
> On 3/5/14, 7:11 PM, "David McGrew" <mcgrew@cisco.com> wrote:
>
>>On 03/04/2014 12:02 PM, Watson Ladd wrote:
>>> Dear all,
>>> This is provisionally my last word on the matter.
>>>
>>> Any consensus based process only works if people will block a largely
>>> formed consensus for a good reason only. A document being unclear, or
>>> having unanalyzed security properties, or major issues with regards to
>>> alternatives not being discussed are good reasons. But the argument
>>> that Paul I think is making, that until the CFRG produces a draft ala
>>> RFC 6090 for Edwards curve we cannot use them, is fundamentally
>>> unconvincing.
>>>
>>> First off, let me note that black box implementations of Curve25519
>>> using the paper are possible: I've written them, Adam Langley has
>>> written them, as have lots of other people. So that leaves the
>>> argument that the implementations require too much knowledge about
>>> cryptography, and that such an issue is worth blocking specs.
>
> I was never advocating blocking these specifications.

I have to apologise: I misread your initial email as saying that the
Curve25519 was an insufficient normative reference as meaning that it
didn't define things clearly enough, and therefore you thought the
spec was ambiguous. I realise now you meant that, independent of the
citation issue, you wanted more documentation.

>
> The use of Edwards and Montgomery curves for Internet protocols are
> relatively new.  There are gaps in the documentation of these new
> mechanisms that should be filled at some point. I was trying to
> constructively point to worked examples from twenty years of ECC
> specifications.

And that is currently being worked on by Robert Ransom, who seems to
have taken over right now from myself. I'll probably jump in this
weekend and write up the algorithms that are required to compute point
multiples, together with the precautions to avoid side channels.

The big problem with Edwards is we don't have a good point format yet.
Robert Ransom has a good idea, but I haven't seen explicit formulas
for encoding and decoding yet.

Sincerely,
Watson Ladd
>
> Paul
>
>>>
>>> The simplest argument for why it is unconvincing is the date of RFC
>>> 6090 vs. the dates of protocols that included Suite B and ECC. RFC
>>> 4869 includes Suite B a full 4 years before RFC 6090 was published.
>>> Now, it is possible that Paul's argument was valid, but simply wasn't
>>> raised at the time RFC 4869 was being published. But I don't see any
>>> evidence that implementors of RFC 4869 were hamstrung by the
>>> nonexistence of RFC 6090.
>>>
>>> The second reason I am unconvinced is that I don't see why we
>>> shouldn't assume the availability of standard references such as the
>>> Handbook Of Elliptic and Hyperelliptic Curve Cryptography, or volume 2
>>> of Knuth, to implementors. Such documents are available for far less
>>> money than ISO standards, and in many regions of North America, Europe
>>> and Asia, can be found for free in the library. The goal of a spec is
>>> to explain to humans what is to be done: including excessive
>>> information makes this much harder.
>>>
>>> Finally, Mr. Lambert writes in terms of the "onus" being on CFRG to
>>> produce such a document, which he calls a "usable normative
>>> reference". Such a bare assertion is entirely unconvincing.
>>
>> From our charter: "The CFRG serves as a bridge between theory and
>>practice, bringing new cryptographic techniques to the Internet
>>community and promoting an understanding of the use and applicability of
>>these mechanisms via Informational RFCs".     We have an opportunity to
>>promote the understanding, use, and applicability of newer ECC
>>mechanisms, and I hope that we do so.   I woud not say we have the
>>"onus" to do so, but if CFRG does anything in this area, it should do
>>what its charter says.
>>
>>> Furthermore, CFRG owes Paul nothing. While I would be happy to review
>>> such a document for accuracy, I have no obligation to review or
>>> produce such a document, and the same holds for all the members of the
>>> CFRG. I can just as easily say that Mr. Lambert has the onus to
>>> produce such a document.
>>>
>>> I've changed my mind about the desirability of such a document as Mr.
>>> Lambert wants. It would be nice if it existed, and it would be a nice
>>> project to learn CWEB. However, I see no reason to consider the
>>> absence of such a document a good reason to block
>>> draft-josefsson-tls-curve25519-04.
>>
>>draft-josefsson-tls-curve25519-04 defines a way to use a variant of
>>Curve25519 in TLS, by describing the differences between RFC4492
>>(Weierstrass ECC in TLS) and Curve25519 processing, and some differences
>>and clarifications relative to the Curve25519 processing described in
>>the PKC2006 publication.   This is clear from the following quotes:
>>
>>"Private keys MUST be selected as specified in [Curve25519].  That is,
>>private keys are 255-bits numbers with the following properties: ..."
>>
>>"ECPoint.point differs from the definition of public keys in
>>[Curve25519] in two ways: ..."
>>
>>"Again, in line with [RFC4492] and as a departure from the convention
>>chosen in [Curve25519], the x coordinate is converted to a byte  string
>>using big endian order. ..."
>>
>>"The following subsections describe the differences between using
>>Curve25519 and the curves defined by RFC 4492 for key exchange in TLS.
>>... "
>>
>>Defining a new thing by its differences from two existing things is not
>>the best way to get a clear and easy to implement specification.    The
>>authors could improve clarity by brining in more of the description of
>>Curve25519, or by referencing external work such as an informational
>>draft/RFC that describes Curve25519 (preferably the same variant as in
>>draft-josefsson-tls-curve25519).
>>
>>One way that RFC6090 added clarity was by clearly separating normative
>>references from informative ones, and relying only on a small sufficient
>>set of normative references that were early (pre-1994).   It would be
>>good to have this sort of clarity for IETF work on Curve25519.
>>
>>It would be better to have a separate draft/RFC on Curve25519, as
>>described above, because it will be clearer and more conducive to re-use
>>of the mechanism across IETF protocols.   If no separate normative
>>document is produced, then it will be important for
>>draft-josefsson-tls-curve25519 to incorporated a more complete
>>description of Curve25519.
>>
>>Disclaimer: I have not tried to implement
>>draft-josefsson-tls-curve25519, and I'm not claiming that it is
>>ambiguous.   The authors deserve thanks for writing this document. Our
>>aim should be to produce clear, well-understood specifications.   Not
>>all RFC are clear or well-understood, but we don't need to emulate that
>>precedent.
>>
>>David
>>
>>
>>
>>>
>>> Sincerely,
>>> Watson Ladd
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin