Re: [TLS] Curve25519 in TLS

Rob Stradling <rob.stradling@comodo.com> Tue, 10 September 2013 08:35 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 647E721F9C4F for <tls@ietfa.amsl.com>; Tue, 10 Sep 2013 01:35:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TU8-sJ+Yhr09 for <tls@ietfa.amsl.com>; Tue, 10 Sep 2013 01:35:01 -0700 (PDT)
Received: from mmmail1.mcr.colo.comodoca.net (mdfw.comodoca.net [91.209.196.68]) by ietfa.amsl.com (Postfix) with ESMTP id 5F00321E8180 for <tls@ietf.org>; Tue, 10 Sep 2013 01:34:52 -0700 (PDT)
Received: (qmail 27426 invoked from network); 10 Sep 2013 08:34:48 -0000
Received: from ian.brad.office.comodo.net (192.168.0.202) by mail.colo.comodoca.net with ESMTPS (DHE-RSA-AES256-SHA encrypted); 10 Sep 2013 08:34:48 -0000
Received: (qmail 24832 invoked by uid 1000); 10 Sep 2013 08:34:47 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Tue, 10 Sep 2013 09:34:47 +0100
Message-ID: <522ED9A7.7080802@comodo.com>
Date: Tue, 10 Sep 2013 09:34:47 +0100
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Simon Josefsson <simon@josefsson.org>
References: <a84d7bc61003011620i66fc7dfdre62b548fdd5ef7dd@mail.gmail.com> <522D25B9.7010506@funwithsoftware.org> <56C25B1D-C80F-495A-806C-5DD268731CD4@qut.edu.au> <87zjrl21wp.fsf_-_@latte.josefsson.org>
In-Reply-To: <87zjrl21wp.fsf_-_@latte.josefsson.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Patrick Pelletier <code@funwithsoftware.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Curve25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 08:35:05 -0000

On 09/09/13 21:08, Simon Josefsson wrote:
> Douglas Stebila <stebila@qut.edu.au>; writes:
>
>> There are other reasons to support curve25519, including efficiency
>> and resistance to side-channel attacks because constant-time
>> implementations.
>
> I agree.  To be able to move forward with standardization of the idea,
> an Internet Draft may help.  I have create one:
>
> http://www.ietf.org/id/draft-josefsson-tls-curve25519-00.txt
>
> Feedback most welcome!

Simon, thanks for creating this draft.

draft-merkle-tls-brainpool-04 (on which you've based this new draft) says:
    "While the ASN.1 object identifiers
    defined in [RFC5639] already allow usage of the ECC Brainpool curves
    for TLS (client or server) authentication through reference in X.509
    certificates according to [RFC3279] and [RFC5480] , their negotiation
    for key exchange according to [RFC4492] requires the definition and
    assignment of additional NamedCurve IDs."

Your draft defines a NamedCurve ID for Curve25519, thereby enabling it 
to be used for key exchange.  But what about "(client or server) 
authentication through reference in X.509 certificates..."?

I'm not aware of an equivalent of RFC5639 for Curve25519.  Should we 
create one?  Or could we simply define some new ASN.1 Object Identifiers 
in your draft?

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online