Re: [TLS] Strawman on EdDSA/Ed25519 in TLS

Simon Josefsson <simon@josefsson.org> Sat, 27 June 2015 18:05 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5161F1A1BAC for <tls@ietfa.amsl.com>; Sat, 27 Jun 2015 11:05:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.151
X-Spam-Level:
X-Spam-Status: No, score=-0.151 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3CQXWfat7wZY for <tls@ietfa.amsl.com>; Sat, 27 Jun 2015 11:05:13 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2130E1A1BA5 for <tls@ietf.org>; Sat, 27 Jun 2015 11:05:12 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t5RI4p82006480 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Sat, 27 Jun 2015 20:04:53 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Rick Andrews <Rick_Andrews@symantec.com>
References: <544B0DD62A64C1448B2DA253C011414615B1DD55AC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:150627:rick_andrews@symantec.com::p4YwQ49194bQvjzL:EmpB
X-Hashcash: 1:22:150627:tls@ietf.org::2mzCHX7hRXn2vTlY:0Y7IN
Date: Sat, 27 Jun 2015 20:04:50 +0200
In-Reply-To: <544B0DD62A64C1448B2DA253C011414615B1DD55AC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> (Rick Andrews's message of "Tue, 23 Jun 2015 04:41:48 -0700")
Message-ID: <87zj3lauyl.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/EIyqlGkUelUSpQJa3xo9LQ6eJxk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Strawman on EdDSA/Ed25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jun 2015 18:05:15 -0000

Hi Rick -- thank you for the offer!  Would you please allocate a range
of OIDs for EdDSA-based signatures?  I suggest:

1.3.101.1     EdDSA Ed25519 PKIX public keys
1.3.101.2     EdDSA Ed25519 PKIX signatures
1.3.101.3     EdDSA Ed448 PKIX public keys
1.3.101.4     EdDSA Ed448 PKIX signatures
1.3.101.5     EdDSA Curve41417 PKIX public keys
1.3.101.6     EdDSA Curve41417 PKIX signatures
1.3.101.7-16  <<Reserved for EdDSA with other TBD curves>>

I can update draft-josefsson-pkix-eddsa-01 once you confirm.

If you don't want to start at .1 for historic or other reasons, we can
start at a higher number.  But please keep the number low so it won't
increase the DER encoded size of the OID.

Btw, there is still some possibility of reaching even shorter OID size
by allocating from the 0.0-0.39 range, as suggested by Rob Stradling.  I
think we are approaching the point of diminishing returns now though.

/Simon

Rick Andrews <Rick_Andrews@symantec.com> writes:

> Symantec owns Thawte which owns 1.3.101. We're happy to donate a reasonable
> number of OIDs under this arc for your purposes. Please let me know if you'd
> like to take us up on the offer. Thanks to Rob Stradling for bringing this
> to my attention.
>
> -Rick
>
> -----Original Message-----
> Date: Thu, 21 May 2015 19:42:53 -0700
> From: Peter Bowen <pzbowen@gmail.com>
> To: Nico Williams <nico@cryptonector.com>
> Cc: Simon Josefsson <simon@josefsson.org>, "tls@ietf.org"
> 	<tls@ietf.org>
> Subject: Re: [TLS] Strawman on EdDSA/Ed25519 in TLS
> Message-ID:
> 	<CAK6vND8uKT9AamW6d43CM3FipGqkCnp6x0=HESUUTpdHdzaSLg@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On Wed, May 20, 2015 at 12:07 PM, Nico Williams <nico@cryptonector.com>
> wrote:
>> On Wed, May 20, 2015 at 07:14:47PM +0200, Simon Josefsson wrote:
>>> Support for EdDSA/Ed25519 in TLS has been suggested a couple of times.
>>
>> I'm in favor.
>>
>>> One aspect I'm aware of is that there is no OID allocated nor 
>>> specification of PKIX certificates with EdDSA/Ed25519 public keys.  
>>> I'm not sure the above document is the right place for doing that 
>>> though, and more thinking around this topic is especially appreciated.
>>
>> It's an OID.  You can get your own OID arc and then allocate an OID.
>>
>> Is it important to separate the addition of a PKIX algorithm OID from 
>> the TLS bits?  Well, it is neater that way.
>
> I'll donate a short OID to the cause if that will help move things forward.
> We have the 1.3.187 arc which is only three bytes DER.  If someone has a
> smaller arc (third node would be 127 or lower) and would offer an OID from
> their arc we can shave off another couple of bytes.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>