Re: [TLS] Curve25519 in TLS

Yoav Nir <ynir@checkpoint.com> Fri, 13 September 2013 14:10 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A076811E80F1 for <tls@ietfa.amsl.com>; Fri, 13 Sep 2013 07:10:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.861
X-Spam-Level:
X-Spam-Status: No, score=-9.861 tagged_above=-999 required=5 tests=[AWL=0.738, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WVaMMkAuJCdn for <tls@ietfa.amsl.com>; Fri, 13 Sep 2013 07:10:37 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1E50411E80EA for <tls@ietf.org>; Fri, 13 Sep 2013 07:10:36 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r8DEA2pT013035; Fri, 13 Sep 2013 17:10:07 +0300
X-CheckPoint: {52331CBA-19-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.173]) by IL-EX10.ad.checkpoint.com ([169.254.2.246]) with mapi id 14.02.0347.000; Fri, 13 Sep 2013 17:10:02 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Rob Stradling <rob.stradling@comodo.com>
Thread-Topic: [TLS] Curve25519 in TLS
Thread-Index: AQHOrZiFYK+MfjUPYEadQ22tq6Y9cJm+c7uAgAJVsFaAARbTgIAAEpYAgABVe4CAABs/AIAABD6AgAAEWYCAAM1XgIAATuoA
Date: Fri, 13 Sep 2013 14:10:01 +0000
Message-ID: <9DCF45B3-84DA-4228-8752-3EA8761B4BDE@checkpoint.com>
References: <a84d7bc61003011620i66fc7dfdre62b548fdd5ef7dd@mail.gmail.com> <522D25B9.7010506@funwithsoftware.org> <56C25B1D-C80F-495A-806C-5DD268731CD4@qut.edu.au> <87zjrl21wp.fsf_-_@latte.josefsson.org> <522ED9A7.7080802@comodo.com> <87fvtbi8ow.fsf@latte.josefsson.org> <5231B8ED.7040301@comodo.com> <9330004B-0BC3-4EDB-91EE-5BA14A4A6CEF@checkpoint.com> <52321039.9060503@comodo.com> <5050f932-9321-449a-be2d-0ad8b667f2f2@email.android.com> <52322AA3.4080503@comodo.com> <CAK3OfOjUor1-_wv3g9_f0YO4Qtufsz1C7z18KRhpFckcdbjXgw@mail.gmail.com> <5232DA89.8090000@comodo.com>
In-Reply-To: <5232DA89.8090000@comodo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.240]
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C1A6EBB3177CDC429B30A98C023D2B65@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Patrick Pelletier <code@funwithsoftware.org>, "tls@ietf.org" <tls@ietf.org>, Simon Josefsson <simon@josefsson.org>
Subject: Re: [TLS] Curve25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2013 14:10:43 -0000

On Sep 13, 2013, at 12:27 PM, Rob Stradling <rob.stradling@comodo.com> wrote:

> On 12/09/13 22:12, Nico Williams wrote:
> <snip>
>> Of course, in practice it's much easier to deploy new ECDH curves for
>> key agreement than new signature algorithms because the former are
>> easily negotiated in actual protocols, while the latter are less so.
> 
> Disagree, I think.  Doesn't the "Supported Elliptic Curves Extension" make it easy enough for TLS?

No, because the key that I use is the private key that matches the public key in the certificate I got from some vendor. If I got a certificate with the NIST P-256 curve, I can't use the Curve25519 signatures. I can only use the NIST P-256 curve, because that is what is in my certificate. For ECDHE I can support multiple curves.

This also affects the CAs. They can't deploy certificates with Curve25519 unless all browsers support those curves, so in reality, only the NIST curves are currently viable for signatures.

Yoav