Re: [TLS] Curve25519 in TLS

Rob Stradling <rob.stradling@comodo.com> Fri, 13 September 2013 22:37 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BABC11E81B4 for <tls@ietfa.amsl.com>; Fri, 13 Sep 2013 15:37:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iW0Oc9tXg5rc for <tls@ietfa.amsl.com>; Fri, 13 Sep 2013 15:37:40 -0700 (PDT)
Received: from mmmail1.mcr.colo.comodoca.net (mdfw.comodoca.net [91.209.196.68]) by ietfa.amsl.com (Postfix) with ESMTP id 7C1D211E81A0 for <tls@ietf.org>; Fri, 13 Sep 2013 15:37:39 -0700 (PDT)
Received: (qmail 11431 invoked from network); 13 Sep 2013 22:37:36 -0000
Received: from ian.brad.office.comodo.net (192.168.0.202) by mail.colo.comodoca.net with ESMTPS (DHE-RSA-AES256-SHA encrypted); 13 Sep 2013 22:37:36 -0000
Received: (qmail 1292 invoked by uid 1000); 13 Sep 2013 22:37:36 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Fri, 13 Sep 2013 23:37:36 +0100
Message-ID: <523393B0.40508@comodo.com>
Date: Fri, 13 Sep 2013 23:37:36 +0100
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <a84d7bc61003011620i66fc7dfdre62b548fdd5ef7dd@mail.gmail.com> <522D25B9.7010506@funwithsoftware.org> <56C25B1D-C80F-495A-806C-5DD268731CD4@qut.edu.au> <87zjrl21wp.fsf_-_@latte.josefsson.org> <522ED9A7.7080802@comodo.com> <87fvtbi8ow.fsf@latte.josefsson.org> <5231B8ED.7040301@comodo.com> <9330004B-0BC3-4EDB-91EE-5BA14A4A6CEF@checkpoint.com> <52321039.9060503@comodo.com> <5050f932-9321-449a-be2d-0ad8b667f2f2@email.android.com> <52322AA3.4080503@comodo.com> <CAK3OfOjUor1-_wv3g9_f0YO4Qtufsz1C7z18KRhpFckcdbjXgw@mail.gmail.com> <5232DA89.8090000@comodo.com> <9DCF45B3-84DA-4228-8752-3EA8761B4BDE@checkpoint.com>
In-Reply-To: <9DCF45B3-84DA-4228-8752-3EA8761B4BDE@checkpoint.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Patrick Pelletier <code@funwithsoftware.org>, "tls@ietf.org" <tls@ietf.org>, Simon Josefsson <simon@josefsson.org>
Subject: Re: [TLS] Curve25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2013 22:37:51 -0000

On 13/09/13 15:10, Yoav Nir wrote:
>
> On Sep 13, 2013, at 12:27 PM, Rob Stradling <rob.stradling@comodo.com>; wrote:
>
>> On 12/09/13 22:12, Nico Williams wrote:
>> <snip>
>>> Of course, in practice it's much easier to deploy new ECDH curves for
>>> key agreement than new signature algorithms because the former are
>>> easily negotiated in actual protocols, while the latter are less so.
>>
>> Disagree, I think.  Doesn't the "Supported Elliptic Curves Extension" make it easy enough for TLS?
>
> No, because the key that I use is the private key that matches the public key in the certificate I got from some vendor. If I got a certificate with the NIST P-256 curve, I can't use the Curve25519 signatures. I can only use the NIST P-256 curve, because that is what is in my certificate. For ECDHE I can support multiple curves.

Sure.

> This also affects the CAs. They can't deploy certificates with Curve25519 unless all browsers support those curves,

Disagree.  If only one browser signals support for the Curve25519 
NamedCurve in the "Supported Elliptic Curves Extension", then (suitably 
enhanced) servers could send Curve25519/Ed25519 certs to this browser 
and RSA/DSA/P-256/whatever certs to other browsers.

> so in reality, only the NIST curves are currently viable for signatures.

Agreed, but I'm thinking about the future.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online