Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1
Johannes Merkle <johannes.merkle@secunet.com> Tue, 21 July 2015 14:39 UTC
Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DFF11B2E9D for <tls@ietfa.amsl.com>; Tue, 21 Jul 2015 07:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.711
X-Spam-Level:
X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7TloApWP9Rf for <tls@ietfa.amsl.com>; Tue, 21 Jul 2015 07:39:28 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 746451B2E99 for <tls@ietf.org>; Tue, 21 Jul 2015 07:39:22 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 003401A0085 for <tls@ietf.org>; Tue, 21 Jul 2015 16:39:05 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Jd2UiXE4Eo1h for <tls@ietf.org>; Tue, 21 Jul 2015 16:39:03 +0200 (CEST)
Received: from mail-essen-01.secunet.de (unknown [10.53.40.204]) by a.mx.secunet.com (Postfix) with ESMTP id C898A1A007F for <tls@ietf.org>; Tue, 21 Jul 2015 16:39:03 +0200 (CEST)
Received: from [10.208.1.212] (10.208.1.212) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.248.2; Tue, 21 Jul 2015 16:39:18 +0200
Message-ID: <55AE5995.7060600@secunet.com>
Date: Tue, 21 Jul 2015 16:39:17 +0200
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: tls@ietf.org
References: <20150716002056.8BD691A1E9@ld9781.wdf.sap.corp> <55A70C01.8010907@gmail.com>
In-Reply-To: <55A70C01.8010907@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.208.1.212]
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/N3NlM7owrQBx9Fpy_Ze42nj5em0>
Subject: Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 14:39:33 -0000
Rene Struik schrieb am 16.07.2015 um 03:42: > Dear colleagues: > > It seems prudent to keep some diversity of the gene pool and not only have curves defined over prime curves. Similarly, > one should perhaps have some diversity of gene pool criteria within the set of recommend curves and not only include > special primes. Should some problem with a particular subclass show up over time, one then at least has other classes > available. > > On a general note, I do not understand what is wrong with having a dictionary of curves that is well-specified, but > whose members are not all widely used. To my knowledge, having a dictionary does not force everyone to use every term in > this (mandatory vs. optional to implement vs. mandatory to use, etc.). > > If one follows the line of reasoning of some people on the mailing list earlier today, doesn't this also call into > question Brainpool curves, or, e.g., the Misty cipher, etc.? Moreover, this certainly calls into question why one would > have a whole set of new DLP groups (which certainly cannot be widely used yet, since the ink to write the parameters > down is still wet). What about RSA-1024, etc.? > I absolutely back up this position. Currently, the TLS 1.3 draft only permits curves over special primes. It has become quite clear in the discussions in CFRG and at the NIST ECC workshop that some parties (major hardware manufacturers, certification bodies) prefer curves over random primes. And as Rene has pointed out, allowing both would also give more agility w.r.t potential future attacks on certain sub-classes. Why can't the draft just specify the curves that are MTI but allow (at least some) alternative options, instead of putting all our eggs in one basket? Johannes
- Re: [TLS] sect571r1 Tony Arcieri
- [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Benjamin Beurdouche
- Re: [TLS] sect571r1 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] sect571r1 Yoav Nir
- Re: [TLS] sect571r1 Eric Rescorla
- Re: [TLS] sect571r1 Viktor Dukhovni
- Re: [TLS] sect571r1 Deirdre Connolly
- Re: [TLS] sect571r1 Adam Langley
- Re: [TLS] sect571r1 Tanja Lange
- Re: [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Dan Brown
- Re: [TLS] sect571r1 Tony Arcieri
- Re: [TLS] sect571r1 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Rob Stradling
- Re: [TLS] sect571r1 Rob Stradling
- Re: [TLS] sect571r1 Martin Thomson
- Re: [TLS] sect571r1 Brian Smith
- Re: [TLS] sect571r1 Tony Arcieri
- Re: [TLS] sect571r1 Eric Rescorla
- Re: [TLS] sect571r1 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] sect571r1 Martin Rex
- Re: [TLS] sect571r1 Tony Arcieri
- [TLS] (selection criteria for crypto primitives) … Rene Struik
- Re: [TLS] (selection criteria for crypto primitiv… Tony Arcieri
- Re: [TLS] sect571r1 Dan Brown
- Re: [TLS] (selection criteria for crypto primitiv… Jeffrey Walton
- Re: [TLS] (selection criteria for crypto primitiv… Tony Arcieri
- Re: [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Jeffrey Walton
- Re: [TLS] sect571r1 Tony Arcieri
- Re: [TLS] sect571r1 Viktor Dukhovni
- Re: [TLS] sect571r1 Jeffrey Walton
- Re: [TLS] sect571r1 Jeffrey Walton
- Re: [TLS] sect571r1 Viktor Dukhovni
- Re: [TLS] (selection criteria for crypto primitiv… Dave Garrett
- Re: [TLS] sect571r1 Yoav Nir
- Re: [TLS] sect571r1 Salz, Rich
- Re: [TLS] (selection criteria for crypto primitiv… Viktor Dukhovni
- Re: [TLS] sect571r1 Tony Arcieri
- Re: [TLS] sect571r1 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] sect571r1 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] sect571r1 Hubert Kario
- Re: [TLS] (selection criteria for crypto primitiv… Johannes Merkle
- Re: [TLS] (selection criteria for crypto primitiv… Ilari Liusvaara
- Re: [TLS] (selection criteria for crypto primitiv… Dave Garrett
- Re: [TLS] (selection criteria for crypto primitiv… Ilari Liusvaara
- Re: [TLS] (selection criteria for crypto primitiv… Eric Rescorla
- Re: [TLS] sect571r1 Sean Turner