Re: [TLS] Should we require compressed points
Watson Ladd <watsonbladd@gmail.com> Wed, 22 October 2014 16:11 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF4861AC417 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 09:11:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id leSNu1T2dFgw for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 09:11:15 -0700 (PDT)
Received: from mail-yh0-x22a.google.com (mail-yh0-x22a.google.com [IPv6:2607:f8b0:4002:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 365261ACD6B for <tls@ietf.org>; Wed, 22 Oct 2014 09:11:14 -0700 (PDT)
Received: by mail-yh0-f42.google.com with SMTP id t59so3736241yho.15 for <tls@ietf.org>; Wed, 22 Oct 2014 09:11:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vtGfj0L+S7RSLZOFokJmfq/3SSJ0ESSk+8Z4QAzc+4U=; b=yokxlm4FSxYgmDKDAkviwIwMGqXy5uLTSFsXtdiBPjDDlWRl8CJofKK6GQRElBZoyD cltmmRnMqgHi83XujACW1A+clXvOh550Q78ji5x1/IDfl4uDQXsywOPeHYpUQ7fem4rR 9/9HZYU3mcwzzXJKEeJwz+090IhC11KKrYdnjxmtGDyFsWNt2DUJeMSPnS5osKAT00X1 05Df72SFWKO4y9L3iBX1FDDtls1MXbrJZjTevnzI0dlT7EKYTPIJY7usitQjzhGjDTO4 hIdyV7uxBIjkr5YAjvtNfiFzMK/40ox+hB2POi6nukJnzn/lf7Qu+Zha2RiNtX4hNpXq MFgQ==
MIME-Version: 1.0
X-Received: by 10.236.22.37 with SMTP id s25mr5181700yhs.138.1413994270742; Wed, 22 Oct 2014 09:11:10 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Wed, 22 Oct 2014 09:11:10 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Wed, 22 Oct 2014 09:11:10 -0700 (PDT)
In-Reply-To: <544677AE.4000005@nthpermutation.com>
References: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com> <544677AE.4000005@nthpermutation.com>
Date: Wed, 22 Oct 2014 09:11:10 -0700
Message-ID: <CACsn0cnbgHbkdpcoUYfrkzCWkB-XS6ZFD7F96bWHsU+tiLRCGg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Content-Type: multipart/alternative; boundary="e89a8f642b4638e1a905060532e2"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/92PZcsSywvrnJzkZ5Xe31Mkrcdg
Cc: tls@ietf.org
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 16:11:21 -0000
On Tue, Oct 21, 2014 at 8:11 AM, Michael StJohns <msj@nthpermutation.com> wrote: > On 10/21/2014 10:52 AM, Eric Rescorla wrote: > > https://github.com/tlswg/tls13-spec/issues/80 > > Today we discussed the possibility of requiring support for compressed > points > in TLS 1.3 now that the IPR has expired. > > Specifically, I propose that for TLS 1.3, we: > > - Use only compressed points for the existing curves (and presumably > whatever superior format is defined for the CFRG-recommended > curves, as appropriate). > > - Deprecate the Supported Point Formats extension for TLS 1.3 > > > I'm pretty much opposed to the former and I guess by extension the latter. > > There's a very large body of code that doesn't support anything except type > 0x04(uncompressed) X9.63 point encodings. If you want to add support for > compressed points (or hybrid compressed), I don't think that's necessarily a > bad idea, but not at the expense of removing support for uncompressed > points. If you wanted to remove the supported point format extension, I > guess you could mandate support for both compressed and uncompressed (and > hybrid?). There is a large body of code that doesn't support TLS 1.3 as well. > > As a second item, I would estimate the chance we're going to see compressed > points in X509 certificates as a regular thing prior to about 10 years from > now as very small, meaning that any general transition to EC based suites is > going to require uncompressed point support. Yes, but uncompressed points are not a security concern in X509, but they are in ECDH. Furthermore, the cost of adding compression support is very small: it's a square root, a check, and potentially flipping the sign. The benefit is that invalid point attacks are much harder to carry out. > > Lastly, while the base IPR for point compression seems to be no longer of > concern, I've still been told to avoid it for a few more years due to > implementation patents related to compression. I'm not sure how worrisome > that is, but its one of the reasons that binary curves aren't in broader use > still. > > Just my $.02 > > Mike > > > > For RFC 4492-bis, we might also consider requiring support for compressed > points as well as uncompressed (already required) but this seems like a > separable issue, since it's mostly in service of optimization rather than > simplicity. > > What do people think? > -Ekr > > > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Hubert Kario
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Yoav Nir
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Dan Harkins
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Jeffrey Walton
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Bodo Moeller
- Re: [TLS] Should we require compressed points Viktor Dukhovni
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Michael StJohns