Re: [TLS] Call for WG adoption draft-josefsson-tls-curve25519

Yoav Nir <ynir.ietf@gmail.com> Sat, 30 May 2015 08:23 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D1951A010C for <tls@ietfa.amsl.com>; Sat, 30 May 2015 01:23:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_35=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id koLPZaq3iV6f for <tls@ietfa.amsl.com>; Sat, 30 May 2015 01:23:47 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A0641A0111 for <tls@ietf.org>; Sat, 30 May 2015 01:23:47 -0700 (PDT)
Received: by wizo1 with SMTP id o1so48927740wiz.1 for <tls@ietf.org>; Sat, 30 May 2015 01:23:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=X7kUn5E8BirRNnBZtP10qjj8bid82brdAtoc1s/mlpo=; b=kfkizy80J0Dr8jVOv5JP6NHJ7g/BQQ4rFY7YL00FfNC1BdqwyYvQnVQMy3FRfHdoCV Eob9qddBrI74bpnM58RuNPMHwHSL4eYL1lVhcHPdDXpBTRO4bRTX1uEWxezPKm55kslR IMUAkK8dkBMiBOFs1rs05W/NxjrSBflrBR1MDV1jf5+aDRoQKrrrslBpzIDBFWp4r7Os 4f6KvOFTLwG0XUAYtKKd8Vq5wgm5YYirj2MnYtCcqQYi4Hgmd3DHQ2EJk/dje50H35++ dePhHl6HTXPETCAtUv8TcN1RcG92uIQe5cxc8qcH3gg/F4eJlwW4MO6W8M+DHBJK1z2f zlog==
X-Received: by 10.194.58.11 with SMTP id m11mr23074964wjq.92.1432974225924; Sat, 30 May 2015 01:23:45 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id f6sm11773126wjq.31.2015.05.30.01.23.44 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 30 May 2015 01:23:44 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <87y4k7w11x.fsf@latte.josefsson.org>
Date: Sat, 30 May 2015 11:23:43 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <4BDD2EAD-C883-4F37-95AF-6857181898A2@gmail.com>
References: <CAOgPGoBB7tX58DdXCJDB9Qa_9jSbZ4Ks_zO20ni4m3EOOTR6jg@mail.gmail.com> <CABcZeBNUh4RfiXGYppiX=FkpQVtvZBBp41e6Kc7_Mp905whS5g@mail.gmail.com> <BF6FA7C6-D357-45B0-B16B-40D01448F09A@gmail.com> <87y4k7w11x.fsf@latte.josefsson.org>
To: Simon Josefsson <simon@josefsson.org>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/8Hwz892klvoUenTWewcVtVGz_OI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for WG adoption draft-josefsson-tls-curve25519
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 May 2015 08:23:48 -0000

> On May 30, 2015, at 12:01 AM, Simon Josefsson <simon@josefsson.org> wrote:
> 
> Yoav Nir <ynir.ietf@gmail.com> writes:
> 
>> Me too.
>> 
>> I notice that while the draft doesn’t say that explicitly, it uses
>> existing *_ECDHE_* ciphersuites, so that no new ciphersuites are
>> required, despite the fact that this ECDHE has different point formats
>> and different back-end math than the existing ECDHE.  I wonder if we
>> can also get away with using *ECDSA* ciphersuites for EdDSA
>> signatures.
> 
> This is an interesting idea, thanks for mentioning that.  It would ugly
> for "ECDSA" in a cipher suite name to not actually mean that ECDSA is
> used, but it is a valid engineering tradeoff to sometimes prefer ugly
> things that simplify over beautiful things that complicate.

It’s based on Elliptic Curves; it’s a Digital Signature; it’s an Algorithm. The “ECDSA” label seems to still fit.

If we wanted to be really radical while losing backward compatibility, we could call the ciphersuite SIG_with_DHE, and use point formats for supporting RSA, DSA, ECDSA and EdDSA for signatures and DHE,ECDHE and Curve25519 for key agreement.

But since we do want backward compatibility, I think lumping all kinds of elliptic curve ephemeral D-H on “_ECDHE_” and all kinds of elliptic curve signatures on “_ECDSA_” is fine, even though ANSI X9.62 has labeled only the particular signature scheme used with P-256 as “ECDSA”.

Yoav