Re: [TLS] Curve25519 in TLS

"Paul Bakker" <p.j.bakker@offspark.com> Fri, 13 September 2013 09:45 UTC

Return-Path: <p.j.bakker@offspark.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E052421F9E6B for <tls@ietfa.amsl.com>; Fri, 13 Sep 2013 02:45:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.504
X-Spam-Level:
X-Spam-Status: No, score=-0.504 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gAiYu6KtbIrt for <tls@ietfa.amsl.com>; Fri, 13 Sep 2013 02:45:46 -0700 (PDT)
Received: from vps2.brainspark.nl (vps2.brainspark.nl [141.138.204.106]) by ietfa.amsl.com (Postfix) with ESMTP id 282DE21F9E5B for <tls@ietf.org>; Fri, 13 Sep 2013 02:45:46 -0700 (PDT)
Received: from a82-161-132-220.adsl.xs4all.nl ([82.161.132.220] helo=Slimpy) by vps2.brainspark.nl with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <p.j.bakker@offspark.com>) id 1VKPqq-0006x3-AG; Fri, 13 Sep 2013 11:39:44 +0200
From: "Paul Bakker" <p.j.bakker@offspark.com>
To: "'Rob Stradling'" <rob.stradling@comodo.com>, "'Nico Williams'" <nico@cryptonector.com>
References: <a84d7bc61003011620i66fc7dfdre62b548fdd5ef7dd@mail.gmail.com> <522D25B9.7010506@funwithsoftware.org> <56C25B1D-C80F-495A-806C-5DD268731CD4@qut.edu.au> <87zjrl21wp.fsf_-_@latte.josefsson.org> <522ED9A7.7080802@comodo.com> <87fvtbi8ow.fsf@latte.josefsson.org> <5231B8ED.7040301@comodo.com> <9330004B-0BC3-4EDB-91EE-5BA14A4A6CEF@checkpoint.com> <52321039.9060503@comodo.com> <5050f932-9321-449a-be2d-0ad8b667f2f2@email.android.com> <52322AA3.4080503@comodo.com> <CAK3OfOjUor1-_wv3g9_f0YO4Qtufsz1C7z18KRhpFckcdbjXgw@mail.gmail.com> <5232DA89.8090000@comodo.com>
In-Reply-To: <5232DA89.8090000@comodo.com>
Date: Fri, 13 Sep 2013 11:45:33 +0200
Message-ID: <02be01ceb066$00b83cb0$0228b610$@offspark.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQF+hyNKgY88m1ZujYYD6edFPqeJKQIqcoOeAt6xqG4B2Z5cqgHcfQ+ZAcPDkyoB/D4HyAJDyPCKAoDfsvsB5MSjywI9HwvmAsxMgAMCMuWhqZmQlY2Q
Content-Language: nl
X-SA-Exim-Connect-IP: 82.161.132.220
X-SA-Exim-Mail-From: p.j.bakker@offspark.com
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.brainspark.nl)
Cc: 'Simon Josefsson' <simon@josefsson.org>, 'Patrick Pelletier' <code@funwithsoftware.org>, tls@ietf.org
Subject: Re: [TLS] Curve25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2013 09:45:51 -0000

> On 12/09/13 22:12, Nico Williams wrote:
> <snip>
> > Of course, in practice it's much easier to deploy new ECDH curves for
> > key agreement than new signature algorithms because the former are
> > easily negotiated in actual protocols, while the latter are less so.
> 
> Disagree, I think.  Doesn't the "Supported Elliptic Curves Extension"
> make it easy enough for TLS?
> 
> RFC4492 (Section 5.3) says:
>    "If the client has used a
>     Supported Elliptic Curves Extension, the public key in the server's
>     certificate MUST respect the client's choice of elliptic curves;"
> 
> So if a TLS Client advertises support for Simon's proposed Curve25519
> NamedCurve, then surely that Client is implying that it supports both
> Curve25519 for key exchange _and_ Curve25519 keys in certs?

I think what Nico means is that the ServerKeyExchange message allows for the
TLS protocol to handle yet-unnamed curves for key-exchange with any client
(that properly handles them).
(http://tools.ietf.org/html/rfc4492#section-5.4)

For the "Supported Elliptic Curves Extension" to 'work' you need the client
to know about the curve beforehand. It has to be named already.
Thus deployment is harder as client actually need to be upgraded.

Regards,
Paul Bakker