Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement

[Eric Rescorla <ekr@rtfm.com>]

On Sat, Jan 11, 2014 at 12:00 PM, Matt Caswell <frodo@baggins.org> wrote:
> On 11 January 2014 19:51, Eric Rescorla <ekr@rtfm.com> wrote:
>> On Sat, Jan 11, 2014 at 8:32 AM, Simon Josefsson <simon@josefsson.org> wrote:
>>> 1) Do we need all these curves defined for TLS?  What is the selection
>>>    critera for including/exluding some of the curves?  Is that a TLS
>>>    process, or an CFRG process?
>>
>> Speaking as chair:
>>
>> The TLS WG is not chartered (or qualified) to assess curves. What I
>> believe is needed is for the IETF (whether directly or through the
>> CFRG) to come to consensus on what curves we believe our
>> protocols should support and then we can adopt them across
>> the relevant security WGs, doing whatever protocol-specific
>> work is required then.
>>
>> I've spoken with our AD about this a little bit, but as far as I know
>> such an effort hasn't actually been started. Perhaps this is a topic
>> for SAAG?
>
> Isn't that exactly what Watson Ladd's draft is?

Perhaps. That's not quite clear to me from the draft, and for
instance the title is "Additional Elliptic Curves for IETF protocols"
and the contents seem to be, as promised, additional curves.
The mailing list discussion seems consistent with that.

What I believe is actually needed is not just definitions of new
curves but a harmonized set of recommendations about which
curves IETF should or should not use, which we can then use
as a guide to protocol adoption and recommendation (see
for instance http://tools.ietf.org/html/draft-sheffer-tls-bcp-01#section-4.1).

Perhaps that's the endpoint of the CFRG discussion of draft-ladd,
but just based on what I've seen so far it seems like a bigger
discussion. I suspect the CFRG has a role to play here, but
probably this is an IETF security area question as well. That's
why I suggested this would be a good question for SAAG.

-Ekr