Re: [TLS] Strawman on EdDSA/Ed25519 in TLS

Ilari Liusvaara <> Wed, 20 May 2015 20:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7096E1A90A4 for <>; Wed, 20 May 2015 13:30:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cLH9Ey09mVQd for <>; Wed, 20 May 2015 13:30:14 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 017461A9059 for <>; Wed, 20 May 2015 13:30:14 -0700 (PDT)
Received: from LK-Perkele-VII ( []) by (Postfix) with ESMTP id 5DCE7188780; Wed, 20 May 2015 23:30:11 +0300 (EEST)
Date: Wed, 20 May 2015 23:30:11 +0300
From: Ilari Liusvaara <>
To: Simon Josefsson <>
Message-ID: <20150520203011.GA25549@LK-Perkele-VII>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <>
Archived-At: <>
Subject: Re: [TLS] Strawman on EdDSA/Ed25519 in TLS
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 May 2015 20:30:16 -0000

On Wed, May 20, 2015 at 07:14:47PM +0200, Simon Josefsson wrote:
> Support for EdDSA/Ed25519 in TLS has been suggested a couple of times.
> I have started to work on an I-D to describe more precisely what that
> would actually mean, and here is an initial strawman document:
> I'm confident I missed some major pieces of the puzzle, but feedback and
> review is welcome so the document can be improved into something that
> can be implemented and interoperate.

More ciphersuites? The signature algorithm negotiation (extension 13)
doesn't work in practice?

> One aspect I'm aware of is that there is no OID allocated nor
> specification of PKIX certificates with EdDSA/Ed25519 public keys.  I'm
> not sure the above document is the right place for doing that though,
> and more thinking around this topic is especially appreciated.

AFAIK, a way to put the key into PKIX SPKI is required for the
new signature algorithm to be useful.

And that means OIDs. The curve itself is,
but AFAIK, there is no OID for the signature primitive.

I think one can find more expertise about how to put various
keys into SPKI in the PKIX mailinglist.

Reading the PKIX specs, it seems like there are two ways:

1) Use algorithm "Unresricted" and use a new point format to
denote LE edwards points.

2) Define new algorithm (OID) for EdDSA, put the curve OID
as parameter and the LE edwards point as the key.