[TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis PRs #1360
"D. J. Bernstein" <djb@cr.yp.to> Sun, 08 September 2024 11:22 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38450C14CEFF for <tls@ietfa.amsl.com>; Sun, 8 Sep 2024 04:22:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MSMrQAOsEY5A for <tls@ietfa.amsl.com>; Sun, 8 Sep 2024 04:22:34 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id C949AC14F602 for <tls@ietf.org>; Sun, 8 Sep 2024 04:22:34 -0700 (PDT)
Received: (qmail 15582 invoked by uid 1010); 8 Sep 2024 11:22:33 -0000
Received: from unknown (unknown) by unknown with QMTP; 8 Sep 2024 11:22:33 -0000
Received: (qmail 306199 invoked by uid 1000); 8 Sep 2024 11:17:16 -0000
Date: Sun, 08 Sep 2024 11:17:16 -0000
Message-ID: <20240908111716.306197.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
In-Reply-To: <CABcZeBObcf-Rh1g+O+iCv34WG_rnDyc60URpP8_mAkHR_4N++g@mail.gmail.com>
Message-ID-Hash: AS63EHK2CJVW66YKTSIJEDVFS2ATHJI5
X-Message-ID-Hash: AS63EHK2CJVW66YKTSIJEDVFS2ATHJI5
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis PRs #1360
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TrNwM0n4bfeBMFqAkK5afeF2rns>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Eric Rescorla writes: > I do not think we need to make Curve25519 MTI. The purpose of MTIs is to > provide a minimum baseline for interoperability, and we have that already > with the existing MTI. That's entirely compatible with most people > preferring X25519 because they believe it's better than the MTI. As the list in Appendix A of https://cr.yp.to/papers.html#safecurves shows, the NSA/NIST standards for the core tasks of ECDH and signatures keep triggering security failures, for reasons that two of us correctly predicted many years ago. One can't expect new implementors to figure out these security issues if they aren't warned. As for "believe", in some cases we have direct security comparisons: the "Minerva" attacks and the recent breaks of "5G Subscription Concealed Identifiers" worked against implementations of the NSA/NIST standards while failing against implementations of X25519/Ed25519 in the same software. More broadly, these NSA/NIST security failures keep happening, even in major ECC implementations: see, e.g., Firefox's announcement "CVE-2023-6135: NSS susceptible to 'Minerva' attack". In general, we should be evaluating MTI choices for their real-world security impact, not just whether they're sufficient to guarantee interoperability. What would be best for security is to transition away from the NSA/NIST approach---as most TLS connections have already done for encryption. The first step in ensuring interoperability for such a transition is to add another MTI. ---D. J. Bernstein P.S. People who need FIPS certification should be asking NIST to follow through on allowing X25519. NIST said in https://web.archive.org/web/20200810165057/https://csrc.nist.gov/projects/cryptographic-module-validation-program/notices that it would add Curve25519 and Curve448, that X25519 and X448 "will be considered for inclusion in a subsequent revision to SP 800-56A", and that "CMVP does not intend to enforce compliance with SP 800-56A until these revisions are complete". NIST did finally manage to add Ed25519 last year, so progress is possible. In any event, IETF shouldn't be allowing NIST to control IETF's cryptographic choices.
- [TLS]Consensus Call: -rfc8446bis PRs #1360 Sean Turner
- [TLS] Re: [EXTERNAL] Consensus Call: -rfc8446bis … D. J. Bernstein
- [TLS] Re: [EXTERNAL] Consensus Call: -rfc8446bis … D. J. Bernstein
- [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis P… Andrei Popov
- [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis P… Peter Gutmann
- [TLS]Re: Consensus Call: -rfc8446bis PRs #1360 Russ Housley
- [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis P… Salz, Rich
- [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis P… Richard Barnes
- [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis P… David Adrian
- [TLS] Re: Consensus Call: -rfc8446bis PRs #1360 Sean Turner
- [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rf… Eric Rescorla
- [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rf… D. J. Bernstein
- [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rf… John Mattsson
- [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rf… Watson Ladd
- [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rf… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Consensus Call: -rfc8446bis … Alicja Kario
- [TLS] Re: [EXTERNAL] Consensus Call: -rfc8446bis … Alicja Kario
- [TLS] Re: Consensus Call: -rfc8446bis PRs #1360 Sean Turner
- [TLS] Re: Consensus Call: -rfc8446bis PRs #1360 Stephen Farrell
- [TLS] Re: Consensus Call: -rfc8446bis PRs #1360 Eric Rescorla