IETF Logo Mail Archive

Re: [TLS] Should we require compressed points

Eric Rescorla <ekr@rtfm.com> Wed, 22 October 2014 18:26 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C84EA1ACC86 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 11:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yfqa3ATMK0Bg for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 11:26:57 -0700 (PDT)
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEFEF1ACCEE for <tls@ietf.org>; Wed, 22 Oct 2014 11:26:56 -0700 (PDT)
Received: by mail-wi0-f179.google.com with SMTP id d1so2160151wiv.12 for <tls@ietf.org>; Wed, 22 Oct 2014 11:26:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=LlHAUdIhvW2GXkjbTSNTTa1PdYoluiUQtLk7fOKJvX4=; b=YW24R76weUQf1DsO6juGzF5AsH0ZKEILLQ1IYivsRUZGlgcYaGrXDlqipRsDK5Q1dT R9Fyn/whI4uw1D8stPAxy6ID9QZXSvPt29YjCUq949pXRnkoxjIJUVf1bAgdzDBM6I6g G5tfoz+PUvEBdkAgiPA8blJkgo+TAynZ4D5zQ7FvrLGe88dHhwWL6iyORZmI7Qu21lOi 3t6TN5BqpAWZ7YmXUbiRE9dgbgvbuysT1wESFgFP0AYWeSLrK7FbxYmNnjeJicDH+PHn L+YpKp02Hw4plgKY6+5OER214Eo76R1mmKt26KACjeVsYxjFZDnv7uLKUo8mrQmdXcXm 4t3Q==
X-Gm-Message-State: ALoCoQkvee6/dTQ+2eM5tuRiw7sH2vosMLHWId4j5Eruoa505T8mKQyfzjupwWFiVpgXStVqOFqX
X-Received: by 10.194.242.4 with SMTP id wm4mr52105076wjc.61.1414002415537; Wed, 22 Oct 2014 11:26:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Wed, 22 Oct 2014 11:26:15 -0700 (PDT)
In-Reply-To: <1799fe49d54b4d43acc26778b9265c8a@BL2PR03MB419.namprd03.prod.outlook.com>
References: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com> <1799fe49d54b4d43acc26778b9265c8a@BL2PR03MB419.namprd03.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 22 Oct 2014 20:26:15 +0200
Message-ID: <CABcZeBPuvAde9iJMHQV59J6-KJU=A2m9LzosmQWoCspmWeFiJg@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: multipart/alternative; boundary="089e01419af6b0c5fe0506071717"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/IPiGNI2MVJFFT2Yp_BeumP-pZdc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 18:26:59 -0000

On Wed, Oct 22, 2014 at 8:15 PM, Andrei Popov <Andrei.Popov@microsoft.com>
wrote:

>  A few considerations:
>
> -          The “IPR has expired” statement will require legal validation
> before an implementer can bake point compression into products;
>
> -          Fewer bytes on the wire/more CPU is a good tradeoff in some
> scenarios, but probably not in every scenario;
>
> -          Requiring support for point compression imposes additional
> (even if relatively minor, in the scale of things) cost for TLS1.3
> implementers.
>
>
>
> What are the reasons for getting rid of uncompressed points?
>
>
Really what I want is to get rid of point negotiation, because it's yet
another
point of complexity and it's not universally implemented anyway. Given that
people seem to think that compressed points are better, I figured that was
the way to go. If people prefer to just require uncompressed points (at
least for the existing X9.63 curves) I could certainly live with that.

-Ekr


>
>

>

>
 Cheers,
>
>
>
> Andrei
>
>
>
> *From:* TLS [mailto:tls-bounces@ietf.org] *On Behalf Of *Eric Rescorla
> *Sent:* Tuesday, October 21, 2014 7:52 AM
> *To:* tls@ietf.org
> *Subject:* [TLS] Should we require compressed points
>
>
>
> https://github.com/tlswg/tls13-spec/issues/80
>
>
>
> Today we discussed the possibility of requiring support for compressed
> points
>
> in TLS 1.3 now that the IPR has expired.
>
>
>
> Specifically, I propose that for TLS 1.3, we:
>
>
>
> - Use only compressed points for the existing curves (and presumably
>
>   whatever superior format is defined for the CFRG-recommended
>
>   curves, as appropriate).
>
>
>
> - Deprecate the Supported Point Formats extension for TLS 1.3
>
>
>
>
>
> For RFC 4492-bis, we might also consider requiring support for compressed
>
> points as well as uncompressed (already required) but this seems like a
>
> separable issue, since it's mostly in service of optimization rather than
>
> simplicity.
>
>
>
> What do people think?
>
> -Ekr
>
>
>
>
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email