IETF Logo Mail Archive

Re: [TLS] Require deterministic ECDSA

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 25 January 2016 19:36 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B9E1A0033 for <tls@ietfa.amsl.com>; Mon, 25 Jan 2016 11:36:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gmQ-B754RZ8S for <tls@ietfa.amsl.com>; Mon, 25 Jan 2016 11:36:39 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id B91881A0024 for <tls@ietf.org>; Mon, 25 Jan 2016 11:36:39 -0800 (PST)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 12C2BF991; Mon, 25 Jan 2016 14:36:07 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id E4AA720085; Mon, 25 Jan 2016 14:36:08 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Yoav Nir <ynir.ietf@gmail.com>, Rich Salz <rsalz@akamai.com>
In-Reply-To: <1D8D93F4-7A7C-4875-927E-21E19AB5F942@gmail.com>
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com> <CAGwT64i5v+0xXLzQYFO5JVKs302x6BgZYN+ffYzMVesgbB9biA@mail.gmail.com> <962c1d946dba48bf95d22f0aa5f77c8f@ustx2ex-dag1mb1.msg.corp.akamai.com> <1D8D93F4-7A7C-4875-927E-21E19AB5F942@gmail.com>
User-Agent: Notmuch/0.21+72~gd8c4f1c (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Mon, 25 Jan 2016 14:36:08 -0500
Message-ID: <87wpqxa1uf.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/MJ8dvcO-PyLF2W8g2L7ig5uxPfY>
Cc: Jacob Maskiewicz <jmaskiew@eng.ucsd.edu>, Joseph Birr-Pixton <jpixton@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 19:36:41 -0000

On Mon 2016-01-25 14:10:13 -0500, Yoav Nir wrote:
>> On 25 Jan 2016, at 5:08 PM, Salz, Rich <rsalz@akamai.com> wrote:
>> 
>>> But any system running a TLS stack is already going to have a high quality entropy source for client/server randoms and IVs and such
>> 
>> That's assuming a constraint that isn't accurate.
>
> Eh. Just s/is/should/

Remember that keys (whether in HSMs or not) can be moved between
implementations.  While it seems (hopefully) likely that most keys will
usually be used with a TLS stack with a high-quality entropy source,
it's also possible that the key gets used occasionally with some other,
less sophisticated code or platform.

We should be pushing heavily for deterministic ECDSA, even though it's
not something we can require via wire protocol at runtime.

   --dkg

v2.23.0 | Report a Bug | By Email