Re: [TLS] Straw poll on draft-ietf-tls-ecc-*
Vipul Gupta <Vipul.Gupta@Sun.COM> Thu, 30 September 2004 14:50 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA27606; Thu, 30 Sep 2004 10:50:11 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CD2OL-0001WI-Dl; Thu, 30 Sep 2004 10:58:46 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CD29N-0002El-UX; Thu, 30 Sep 2004 10:43:17 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CCtAK-0007Sa-RX for tls@megatron.ietf.org; Thu, 30 Sep 2004 01:07:40 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA25512 for <tls@ietf.org>; Thu, 30 Sep 2004 01:07:39 -0400 (EDT)
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CCtIU-0004jh-Bz for tls@ietf.org; Thu, 30 Sep 2004 01:16:08 -0400
Received: from esunmail ([129.147.156.34]) by brmea-mail-3.sun.com (8.12.10/8.12.9) with ESMTP id i8U57bil022358 for <tls@ietf.org>; Wed, 29 Sep 2004 23:07:37 -0600 (MDT)
Received: from fe7 (esunmail [129.147.156.34]) by edgemail1.Central.Sun.COM (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with ESMTP id <0I4U00EMC8WO41@edgemail1.Central.Sun.COM> for tls@ietf.org; Wed, 29 Sep 2004 23:07:37 -0600 (MDT)
Received: from [192.168.1.100] ([67.121.169.113]) by mail.sun.net (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with ESMTPSA id <0I4U00KI78UV3Q@mail.sun.net> for tls@ietf.org; Wed, 29 Sep 2004 23:07:36 -0600 (MDT)
Date: Wed, 29 Sep 2004 22:06:25 -0700
From: Vipul Gupta <Vipul.Gupta@Sun.COM>
Subject: Re: [TLS] Straw poll on draft-ietf-tls-ecc-*
In-reply-to: <415B67B0.80500@eecs.berkeley.edu>
To: tls@ietf.org
Message-id: <7A8A2145-129E-11D9-AE6D-000393BA4712@sun.com>
MIME-version: 1.0
X-Mailer: Apple Mail (2.619)
Content-type: text/plain; charset="US-ASCII"; format="flowed"
Content-transfer-encoding: 7bit
References: <20040928231022.9FCD1717F@sierra.rtfm.com> <415B67B0.80500@eecs.berkeley.edu>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 67c1ea29f88502ef6a32ccec927970f0
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 30 Sep 2004 10:43:13 -0400
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 2086112c730e13d5955355df27e3074b
Content-Transfer-Encoding: 7bit
I, too, vote for option A (advance to proposed standard). vipul On Sep 29, 2004, at 6:56 PM, Bodo Moeller wrote: > Eric Rescorla wrote: > >> This is a Straw Poll in the fate of draft-ietf-tls-ecc-*. > [...] >> This Straw Poll will run for the next week (through Tuesday >> October 5th.) Please register your opinion by then, either >> to me or to the list. > > I vote for option A ("Advance draft-ietf-tls-ecc-* to Proposed > Standard"). > > My reasons include: > > * IPR: > > I don't buy the claim "Clearly, ECC is a patent minefield" > made in <20040928230824.D41B1717F@sierra.rtfm.com> > (http://www.imc.org/ietf-tls/mail-archive/msg04342.html). > > I am, of course, well aware of the wide-spread *perception* > that ECC was a patent minefield. But clearly, there is a lot of > prior art preceding any known ECC patents; I cited some of it in > <4133DE21.7060306@eecs.berkeley.edu> > (http://www.imc.org/ietf-tls/mail-archive/msg04309.html). > There are actually no more patent issues to worry about for elliptic > curves with ECDH or ECDSA than for conventional DH and DSA, > unless you are specifically using certain new patented techniques > (which often involve special classes of curves that you wouldn't > normally run into unless you are determined to). > > > Some think that the S/MIME ECC RFC 3278, "Use of Elliptic Curve > Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)" > (April 2002), which is Informational, sets an example that the TLS > ECC > RFC should follow. But actually RFC 3278 uses the MQV protocol which > is clearly patented, whether with or without elliptic curves; > so I acknowledge that there was a good reason to make RFC 3278 > Informational for IPR reasons. This reason does not affect the > current TLS ECC draft: draft-ietf-tls-ecc-06.txt does not use > MQV (early revisions did, but the specification has since been > changed so that it avoids this patent-encumbered technique). > > > There's one thing specified in draft-ietf-tls-ecc-06.txt that > requires a patented technique: The draft specifies the use > of point compression, as a "MAY". Uncompressed points are the > default and a "MUST" (TLS extensions are used to negotiate > whether point compression is permissible, so support of point > compression cannot affect interoperability, just efficiency). > Point compression is affected by patents just in the case of curves > over characteristic-2 fields; there's no problem for prime fields. > > > * Technical: > > One of the advantages of elliptic curve cryptography is that > its expected security is better than that of RSA or conventional DH. > This is a somewhat fuzzy statement; more precisely, we know that > attacks against RSA and DH have subexponential complexity, while > attacking ECC requires exponential time (around 2^k steps for > ECC over (2k)-bit fields). If 1024-bit RSA remains secure in > practice, this is not much to worry about; but we cannot be sure > of this (for example, Dan Bernstein is working on efficient > factorization circuits, see http://cr.yp.to/talks/2004myths2.pdf > and elsewhere; he is going to announce results in February 2005 > at the SHARCS conference). Increasing keylengths to improve > security has a more noticeable effect on performance for RSA and > DH than for ECC (with its exponential complexity of known > attacks). > > Currently (i.e. in the light of just those attacks that are already > known to be practical), there's a performance argument in favor of > ECC > in particular if you want forward secrecy: To create symmetric keys > that cannot be recovered by someone who obtains a warrant or just > breaks in without asking anyone first to obtain your long-time server > key, TLS can used either Diffie-Hellman (with the ciphersuites > specified in RFC 2246 and the rfc2246-bis draft) or elliptic curve > Diffie-Hellman (ECDH, with the ciphersuites specified in the the TLS > ECC draft). Depending on the nature of the content that you are > protecting with TLS, forward secrecy may not matter; in particular, > it > is a waste of time if you are using TLS mainly for authentication and > don't worry about the possibility that someone might be able to > decrypt the TLS sessions after the fact. But when forward secrecy is > desired, having ECDH available certainly is a plus. > > And of course, there's the potential possibility that RSA might turn > out to be insecure when new attacks are discovered. In this case > it is good to have an alternative ready to switch to. I am too > optimistic to really worry about this, so I am mostly listing this > additional argument for completeness. > > > It should be noted that ECC support for TLS has been available in open > source software implementations for a while (since 2002): both > mozilla.org and OpenSSL have it in appropriate revisions. So when > we are discussing the TLS ECC draft, we are not talking about vaporware > or about a specification that would only be used by rare commercial > products. This is something that would be available for everyone to > use without much of a hassle. (You just wouldn't get point compression > for characteristic-2 fields unless you license the appropriate patent, > but that's a small loss.) > > > > > _______________________________________________ > TLS mailing list > TLS@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Straw poll on draft-ietf-tls-ecc-* Eric Rescorla
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Bodo Moeller
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Vipul Gupta
- RE: [TLS] Straw poll on draft-ietf-tls-ecc-* Pasi.Eronen
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Hovav Shacham
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Bodo Moeller
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Tim Dierks
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Bodo Moeller
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Tim Dierks
- [TLS] NIST recommendations for TLS Anton Stiglic
- Re: [TLS] Straw poll on draft-ietf-tls-ecc-* Bodo Moeller