[TLS] Is Ed25519/Ed448 ok for use in DTLS1.2?

Matt Caswell <matt@openssl.org> Mon, 18 November 2019 16:50 UTC

Return-Path: <matt@openssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6E31912097F for <tls@ietfa.amsl.com>; Mon, 18 Nov 2019 08:50:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id TyqYxz8-l0pg for <tls@ietfa.amsl.com>; Mon, 18 Nov 2019 08:50:08 -0800 (PST)
Received: from mta.openssl.org (opentls.org []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58E8E12013A for <tls@ietf.org>; Mon, 18 Nov 2019 08:50:07 -0800 (PST)
Received: from [IPv6:2a00:23c6:2d80:b900:45b7:ac50:a4f0:46bd] (unknown [IPv6:2a00:23c6:2d80:b900:45b7:ac50:a4f0:46bd]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta.openssl.org (Postfix) with ESMTPSA id BFF91E4F09 for <tls@ietf.org>; Mon, 18 Nov 2019 16:50:04 +0000 (UTC)
To: tls@ietf.org
From: Matt Caswell <matt@openssl.org>
Message-ID: <fbd7b2cc-5cfc-3b30-270f-2ae312daa0d6@openssl.org>
Date: Mon, 18 Nov 2019 16:50:03 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CaXLm2nQn0XXQZZc61q-scVkduY>
Subject: [TLS] Is Ed25519/Ed448 ok for use in DTLS1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 16:50:10 -0000

RFC8422 specifies the usage of Ed25519 and Ed448 in TLSv1.2. However
there is barely any mention of DTLS. There is one reference which says this:

"IANA has assigned one value from the "TLS HashAlgorithm" registry for
Intrinsic (8) with DTLS-OK set to true (Y) and this document as
reference.  This keeps compatibility with TLS 1.3."

That's in reference to the IANA TLS HashAlgorithm registry. But for the
TLS SignatureAlgorithm registry it says this:

"IANA has assigned two values in the "TLS SignatureAlgorithm" registry
for ed25519 (7) and ed448 (8) with this document as reference.  This
keeps compatibility with TLS 1.3."

This is in the paragraph before the other one, and there is no reference
to ed25519/ed448 being "ok" for DTLS, and in fact there is no mention of
DTLS anywhere else in this RFC.

However the IANA TLS SignatureAlgorithm registry lists ed25519/ed448 as
"ok" for DTLS and cites RFC8422 as a reference:


Is this an error in the IANA registry? Or is this an error in the RFC?
Or is there some other RFC somewhere that specifies ed25519/ed448 usage
in DTLS?

I looked to see if there were any errata for RFC8422, but nothing looked