Re: [TLS] Require deterministic ECDSA

Michael StJohns <msj@nthpermutation.com> Sun, 24 January 2016 00:47 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA97E1B2CDD for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 16:47:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JnJec0n2rD0l for <tls@ietfa.amsl.com>; Sat, 23 Jan 2016 16:47:08 -0800 (PST)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 680E01B2CDC for <tls@ietf.org>; Sat, 23 Jan 2016 16:47:08 -0800 (PST)
Received: by mail-qg0-x231.google.com with SMTP id e32so85670549qgf.3 for <tls@ietf.org>; Sat, 23 Jan 2016 16:47:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=b6nTPYB2J078vUBP0TiVxm//DsjAHA80HXuQBHEPkCo=; b=Wt17L1p6GY4D58ckSvDZSwlDPuupUgdoZHIpMsNdLZuwTSsKE5LNuf6G2iFclj3G78 lAqg/QbMInkntkh+//tqKWDg+Kc1uyatj/W7vrkkp4xrbvr1GoocjHho2X1mcmzHXsYI QEgHETqXJhYBVy1rfs9IaEDpHKaqxnwDVyKAfiG0bRTxn6MGYTPPiejJxBc9uhq+6IJc +J1UzbFzcHtkBM8pz6pi1ovzlgqoQKctPpbuYAJrYPC8OymG5UpdjRaw92jS8R/YaxWb yeJR+xbWcmRqEASDhRRmYk/VJGb5XraC+yw8SZTTQ9JMzb5TT0niphKxUgGWXFbvdBeF a2yA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=b6nTPYB2J078vUBP0TiVxm//DsjAHA80HXuQBHEPkCo=; b=PlZ2o0kc1HW8qfoSfXHxhwP41ud5bXjU3j3Bv2ufw2BaXQwdPIngrUaCGafP+rPRL+ aiSIFszvYNLHCID34UBaSgqFVcccNaNtSBltqnbFOgoIwQ4kW9ry+RmYQ7eMiIiXaynv n2CcQjwxuRmmzFU+ubbxk5tQxqWmb6VAX81SmpAWfGrcN7oA+0nosnfvtEkUhY8ILnV6 YrFK29dIDYP0YqW1tfOTYiA/U0/xyYVJ1IKh3qXVOkZruQF7xfrejKvjmEWRk5Urx8Mc C9fwKC3BfSL3Mdu10k1fpTENqd/52rpW47aNPbQTCjr4kGd4ZLn2noj+/McBge4OYSJ/ sATg==
X-Gm-Message-State: AG10YOShYoKANouYUEY0SHXL30Mia2Nbfd+ikaok72FhUla5Uz+QNUr4QDpd826ORAhWWA==
X-Received: by 10.140.95.119 with SMTP id h110mr13023942qge.105.1453596427623; Sat, 23 Jan 2016 16:47:07 -0800 (PST)
Received: from ?IPv6:2601:148:c000:1bb4:8579:2304:499a:677a? ([2601:148:c000:1bb4:8579:2304:499a:677a]) by smtp.gmail.com with ESMTPSA id z138sm5897407qhb.7.2016.01.23.16.47.06 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 23 Jan 2016 16:47:06 -0800 (PST)
To: tls@ietf.org
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <56A41F0F.70609@nthpermutation.com>
Date: Sat, 23 Jan 2016 19:47:11 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/7rgp4YcADI6D3BcbUhgID6f9yfQ>
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 00:47:10 -0000

On 1/23/2016 2:13 PM, Joseph Birr-Pixton wrote:
> Hi,
>
> I'd like to propose that TLS1.3 mandates RFC6979 deterministic ECDSA.
>
> For discussion, here's a pull request with possible language:
>
> https://github.com/tlswg/tls13-spec/pull/406
>
> Cheers,
> Joe
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

Correct me if I'm wrong but:

1) A receiver of an deterministic ECDSA signature verifies it EXACTLY 
like they would a non-deterministic signature.
2) A receiver of an ECDSA signature cannot determine whether or not the 
signer did a deterministic signature.
3) A TLS implementation has no way (absent repeating signatures over 
identical data) of telling whether or not a given signature using the 
client or server private key  is deterministic.

  All that suggests that this is a completely unenforceable requirement 
with respect to TLS.

The above is a long way of saying that this is a WG overreach on 
internal security module behavior that is not central, cognizable or 
identifiable to a TLS implementation.

I'd instead recommend you approach the CFRG and offer a internet draft 
with a target of BCP on the general topic of ECDSA rather than specific 
guidance for TLS.

Mike