IETF Logo Mail Archive

Re: [TLS] Should we require compressed points

Michael StJohns <msj@nthpermutation.com> Wed, 22 October 2014 16:03 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE5AC1ACDB2 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 09:03:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ei3T7VL7VALr for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 09:03:19 -0700 (PDT)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3724B1ACD82 for <tls@ietf.org>; Wed, 22 Oct 2014 09:03:19 -0700 (PDT)
Received: by mail-qa0-f51.google.com with SMTP id k15so2595304qaq.24 for <tls@ietf.org>; Wed, 22 Oct 2014 09:03:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=zfboSt/zZdkhJIrv6NHOk8O2YN7CYjK7rw/IlxhKim8=; b=XSixlA4qrJNSLGduXVnQ5K9Rc1NUufrDmvpVu0RKSL4mQbcpCnQ3i205gYqq+I3MUb KIqpI+kisKO4xwFzHZr8mHWvU2E9muLbxxeEjwYyUeym+lvuOVReo4komZv6FADrIkDg wOlIqsd38zKdo7odX74noj8NmlNdCu786ZgQBGZNEdvo6qO9zx/orq5SqjWlkY5ZaOOI BD6lQ63ujXTgYRGzP/WbQdQnBMGWRGEn4GkTM5OZT+Dz7igIG1Drz9wndm35jR1oQUGv Xvm71Q7aAFvOCLzjuya8BBQ3CyfUU0LltUmyDaWI91tEZxRvyHxdaP7JERlzpkcdyDSt 42Hg==
X-Gm-Message-State: ALoCoQnuXZcvXHDqFINmDyRWmuwBahJQSdkEQI/FuH5cGRQVdC9ntk1gy3iXa+TptcYZPkKCO3BS
X-Received: by 10.224.11.6 with SMTP id r6mr4986564qar.42.1413993798043; Wed, 22 Oct 2014 09:03:18 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:e7:4db0:7b95:1f7b:4e12? ([2601:a:2a00:e7:4db0:7b95:1f7b:4e12]) by mx.google.com with ESMTPSA id i2sm13922116qay.32.2014.10.22.09.03.17 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Oct 2014 09:03:17 -0700 (PDT)
Message-ID: <5447D561.1010503@nthpermutation.com>
Date: Wed, 22 Oct 2014 12:03:45 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com>
In-Reply-To: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040501070705060400050904"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/XB1b1Uc5ZSuSeytQXWTtXMlDesU
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 16:03:24 -0000

On 10/21/2014 10:52 AM, Eric Rescorla wrote:
> https://github.com/tlswg/tls13-spec/issues/80
>
> Today we discussed the possibility of requiring support for compressed 
> points
> in TLS 1.3 now that the IPR has expired.
>
> Specifically, I propose that for TLS 1.3, we:
>
> - Use only compressed points for the existing curves (and presumably
>   whatever superior format is defined for the CFRG-recommended
>   curves, as appropriate).
>
> - Deprecate the Supported Point Formats extension for TLS 1.3

After thinking about this longer - how actually would this work 
negotiation wise?  Specifically "us[ing] only compressed points"?

AFAICT, all you're going to do is make the negotiation even more 
complex.  The TLS1.3 clients and servers will still need to implement 
uncompressed points to talk to TLS1.2 and before clients and servers.  A 
TLS1.3 server will still need to understand an offered Supported Point 
Format extension from a TLS1.2 client to figure out if it can send a 
compressed point public key.  (I think) A TLS1.3 client will still need 
to offer the Supported Point Format extension in case it's talking to a 
1.2 server if the client wants to offer a compressed public key.

Is there any benefit you get besides  the savings of 1/2 of a public key 
on the wire from the server to the client?  Call it 32 octets for a 256 
bit X9.63 key.

The only way you get away from this is if you have prior knowledge of 
the server implementation or you put TLS1.3 on a new port (which to be 
clear I'm not suggesting).

And you still need support for the uncompressed form for certificates 
for quite a very long time (RFC5480).

So what's the argument for doing this besides "we can"?

Mike


>
>
> For RFC 4492-bis, we might also consider requiring support for compressed
> points as well as uncompressed (already required) but this seems like a
> separable issue, since it's mostly in service of optimization rather than
> simplicity.
>
> What do people think?
> -Ekr
>
>
>
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email