Re: [TLS] Should we require compressed points
Michael StJohns <msj@nthpermutation.com> Wed, 22 October 2014 16:03 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE5AC1ACDB2 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 09:03:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ei3T7VL7VALr for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 09:03:19 -0700 (PDT)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3724B1ACD82 for <tls@ietf.org>; Wed, 22 Oct 2014 09:03:19 -0700 (PDT)
Received: by mail-qa0-f51.google.com with SMTP id k15so2595304qaq.24 for <tls@ietf.org>; Wed, 22 Oct 2014 09:03:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=zfboSt/zZdkhJIrv6NHOk8O2YN7CYjK7rw/IlxhKim8=; b=XSixlA4qrJNSLGduXVnQ5K9Rc1NUufrDmvpVu0RKSL4mQbcpCnQ3i205gYqq+I3MUb KIqpI+kisKO4xwFzHZr8mHWvU2E9muLbxxeEjwYyUeym+lvuOVReo4komZv6FADrIkDg wOlIqsd38zKdo7odX74noj8NmlNdCu786ZgQBGZNEdvo6qO9zx/orq5SqjWlkY5ZaOOI BD6lQ63ujXTgYRGzP/WbQdQnBMGWRGEn4GkTM5OZT+Dz7igIG1Drz9wndm35jR1oQUGv Xvm71Q7aAFvOCLzjuya8BBQ3CyfUU0LltUmyDaWI91tEZxRvyHxdaP7JERlzpkcdyDSt 42Hg==
X-Gm-Message-State: ALoCoQnuXZcvXHDqFINmDyRWmuwBahJQSdkEQI/FuH5cGRQVdC9ntk1gy3iXa+TptcYZPkKCO3BS
X-Received: by 10.224.11.6 with SMTP id r6mr4986564qar.42.1413993798043; Wed, 22 Oct 2014 09:03:18 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:e7:4db0:7b95:1f7b:4e12? ([2601:a:2a00:e7:4db0:7b95:1f7b:4e12]) by mx.google.com with ESMTPSA id i2sm13922116qay.32.2014.10.22.09.03.17 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Oct 2014 09:03:17 -0700 (PDT)
Message-ID: <5447D561.1010503@nthpermutation.com>
Date: Wed, 22 Oct 2014 12:03:45 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com>
In-Reply-To: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040501070705060400050904"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/XB1b1Uc5ZSuSeytQXWTtXMlDesU
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 16:03:24 -0000
On 10/21/2014 10:52 AM, Eric Rescorla wrote: > https://github.com/tlswg/tls13-spec/issues/80 > > Today we discussed the possibility of requiring support for compressed > points > in TLS 1.3 now that the IPR has expired. > > Specifically, I propose that for TLS 1.3, we: > > - Use only compressed points for the existing curves (and presumably > whatever superior format is defined for the CFRG-recommended > curves, as appropriate). > > - Deprecate the Supported Point Formats extension for TLS 1.3 After thinking about this longer - how actually would this work negotiation wise? Specifically "us[ing] only compressed points"? AFAICT, all you're going to do is make the negotiation even more complex. The TLS1.3 clients and servers will still need to implement uncompressed points to talk to TLS1.2 and before clients and servers. A TLS1.3 server will still need to understand an offered Supported Point Format extension from a TLS1.2 client to figure out if it can send a compressed point public key. (I think) A TLS1.3 client will still need to offer the Supported Point Format extension in case it's talking to a 1.2 server if the client wants to offer a compressed public key. Is there any benefit you get besides the savings of 1/2 of a public key on the wire from the server to the client? Call it 32 octets for a 256 bit X9.63 key. The only way you get away from this is if you have prior knowledge of the server implementation or you put TLS1.3 on a new port (which to be clear I'm not suggesting). And you still need support for the uncompressed form for certificates for quite a very long time (RFC5480). So what's the argument for doing this besides "we can"? Mike > > > For RFC 4492-bis, we might also consider requiring support for compressed > points as well as uncompressed (already required) but this seems like a > separable issue, since it's mostly in service of optimization rather than > simplicity. > > What do people think? > -Ekr > > > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Hubert Kario
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Yoav Nir
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Dan Harkins
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Jeffrey Walton
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Bodo Moeller
- Re: [TLS] Should we require compressed points Viktor Dukhovni
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Michael StJohns