Re: [TLS] Strawman on EdDSA/Ed25519 in TLS

Simon Josefsson <simon@josefsson.org> Fri, 29 May 2015 21:19 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55C7D1B2D84 for <tls@ietfa.amsl.com>; Fri, 29 May 2015 14:19:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id USjOXu3IM9u9 for <tls@ietfa.amsl.com>; Fri, 29 May 2015 14:19:00 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E8061B2D74 for <tls@ietf.org>; Fri, 29 May 2015 14:19:00 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t4TLIqGd014471 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 29 May 2015 23:18:53 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Peter Bowen <pzbowen@gmail.com>
References: <1432142087.2946.11.camel@josefsson.org> <20150520190727.GD19183@localhost> <CAK6vND8uKT9AamW6d43CM3FipGqkCnp6x0=HESUUTpdHdzaSLg@mail.gmail.com>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:150529:nico@cryptonector.com::gxEGI2G/jwzF58LY:7cI2
X-Hashcash: 1:22:150529:tls@ietf.org::EOdjIpekA70TZkcZ:XeTf
X-Hashcash: 1:22:150529:pzbowen@gmail.com::qh8x+SB1KObZwdYQ:/q1P
Date: Fri, 29 May 2015 23:18:50 +0200
In-Reply-To: <CAK6vND8uKT9AamW6d43CM3FipGqkCnp6x0=HESUUTpdHdzaSLg@mail.gmail.com> (Peter Bowen's message of "Thu, 21 May 2015 19:42:53 -0700")
Message-ID: <87lhg7w091.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/OZmtKl_NzuHv9EbXj4KZ43rEFtU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Strawman on EdDSA/Ed25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2015 21:19:01 -0000

Peter Bowen <pzbowen@gmail.com>; writes:

> On Wed, May 20, 2015 at 12:07 PM, Nico Williams <nico@cryptonector.com>; wrote:
>> On Wed, May 20, 2015 at 07:14:47PM +0200, Simon Josefsson wrote:
>>> Support for EdDSA/Ed25519 in TLS has been suggested a couple of times.
>>
>> I'm in favor.
>>
>>> One aspect I'm aware of is that there is no OID allocated nor
>>> specification of PKIX certificates with EdDSA/Ed25519 public keys.  I'm
>>> not sure the above document is the right place for doing that though,
>>> and more thinking around this topic is especially appreciated.
>>
>> It's an OID.  You can get your own OID arc and then allocate an OID.
>>
>> Is it important to separate the addition of a PKIX algorithm OID from
>> the TLS bits?  Well, it is neater that way.
>
> I'll donate a short OID to the cause if that will help move things
> forward.  We have the 1.3.187 arc which is only three bytes DER.  If
> someone has a smaller arc (third node would be 127 or lower) and would
> offer an OID from their arc we can shave off another couple of bytes.

Anyone?  I have 1.3.6.1.4.1.11591 but it is much longer.

If you can allocate one OID for PKIX-EdDSA and one for PKIX-Ed25519 we
have two values to work with for doing a PKIX EdDSA or Ed25519 draft.
It is not clear to me which approach is best, and if you have room for
two OIDs let have two different from the start in case people want to
experiment with both.

Thank you for thinking of saving bytes here! :-)

/Simon