Re: [TLS] PSS for TLS 1.3
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 24 March 2015 17:11 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 384621A9151 for <tls@ietfa.amsl.com>; Tue, 24 Mar 2015 10:11:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K2TY_ryOXYhx for <tls@ietfa.amsl.com>; Tue, 24 Mar 2015 10:11:31 -0700 (PDT)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 081751A9026 for <tls@ietf.org>; Tue, 24 Mar 2015 10:11:31 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id B80FF9005B; Tue, 24 Mar 2015 19:11:28 +0200 (EET)
Date: Tue, 24 Mar 2015 19:11:28 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Message-ID: <20150324171128.GA3561@LK-Perkele-VII>
References: <CABcZeBOeoyggJfma8rvyeRrh6Dw+oSp5P-oUG0MR3ZprBOyUPQ@mail.gmail.com> <20150323112232.5964828b@pc1.fritz.box> <B05713C2-FB9C-4625-8B90-8A4ACFB80486@vigilsec.com> <D135D551.4358E%kenny.paterson@rhul.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <D135D551.4358E%kenny.paterson@rhul.ac.uk>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/PfEoY7nPWndM6E-RHzQ-8H1IAo4>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] PSS for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 17:11:33 -0000
On Mon, Mar 23, 2015 at 07:42:26PM +0000, Paterson, Kenny wrote: > > > >We want to accomodate the uptake of ECC, so ... > > > >If RSA keys, then sign handshake with RSA-PSS. > >If ECC keys, then sign handshake with ECDSA. > > Just a quick heads-up with my CFRG hat on. We should soon be making a > start over there on defining signature schemes for use with the curves > that we have now selected; our DH deliberations are nearing completion. > > One quick question for this group: how important is it to you to have > ECDSA - or something very close to it (e.g. a derandomised version) - for > TLS use, and how much appetite is there for adopting schemes that deviate > more significantly from ECDSA (e.g. EdDSA)? My personal view (I have also looked at what this would take): Not important, I would very much like a modern signature system (esp. inversion-free[1]). But I would want: - Both curves usable in the same signature framework. - Only use common hash function propeties for both curves[2], especially for verification interop[3]. Assignments required: - TLS signaturealgorithm codepoint - TLS namedcurve codepoints - OIDs for the signature curves - OIDs for PKIX (Signature,Hash) algorithm pair. All can be done with RFC & expert review. [1] Inversions are not only highly annoying to implement safe way, but are also pretty slow. [2] Good test: Does this work with standard-issue SHA-512? [3] This is for the case if anything happens to the primary algorithm. -Ilari
- [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Brian Smith
- Re: [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Peter Bowen
- Re: [TLS] PSS for TLS 1.3 Hanno Böck
- Re: [TLS] PSS for TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] PSS for TLS 1.3 Eric Rescorla
- Re: [TLS] PSS for TLS 1.3 Salz, Rich
- Re: [TLS] PSS for TLS 1.3 Russ Housley
- Re: [TLS] PSS for TLS 1.3 Russ Housley
- Re: [TLS] PSS for TLS 1.3 Paterson, Kenny
- Re: [TLS] PSS for TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS for TLS 1.3 Martin Rex
- Re: [TLS] PSS for TLS 1.3 Ilari Liusvaara
- Re: [TLS] PSS for TLS 1.3 Russ Housley