IETF Logo Mail Archive

Re: [TLS] Why are the brainpool curves not allowed in TLS 1.3?

Eric Rescorla <ekr@rtfm.com> Tue, 17 July 2018 15:02 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16476130F85 for <tls@ietfa.amsl.com>; Tue, 17 Jul 2018 08:02:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nm5D93VaK34v for <tls@ietfa.amsl.com>; Tue, 17 Jul 2018 08:02:27 -0700 (PDT)
Received: from mail-lf0-x22c.google.com (mail-lf0-x22c.google.com [IPv6:2a00:1450:4010:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4600F130E58 for <tls@ietf.org>; Tue, 17 Jul 2018 08:02:27 -0700 (PDT)
Received: by mail-lf0-x22c.google.com with SMTP id u202-v6so1081242lff.9 for <tls@ietf.org>; Tue, 17 Jul 2018 08:02:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=HVkJcsKYD5q28Dnu+NHL3TbpFBenUW2ckPbzyuqlYyo=; b=0HA4USi8PUcq7pNdJo7uUChja3q4RbFKYHGp7xx4OXfFdnWAiMTbi384ty8ebxkx16 1iE0DfptM5mxwkFX2uqTJ+kcxhbwGtJXfoZ6Zt9PO4MfFSk6ePOiWnftBuS29vEjcDbs uoldM1v8MI7tgo33ISHjJeS2tVS/xXRi0sPsQFar7qBrcmR1JOL1agR+WosBGkYyDrr+ n2rVw2ZcyjhkA+bo7O7l5HLQaOXOHf/B8v/GkdtBGI/eFhqyjRbQgM6peefbYoSdLz5/ HMDQU3d+v6BttsQ0P+CHjGQE1CnDlwxKjNwD8BcY2bNBVtB/7y+t9eJoFj0YjQuEci0T cJng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=HVkJcsKYD5q28Dnu+NHL3TbpFBenUW2ckPbzyuqlYyo=; b=Pp6akDzzlS7i1CK5bRJ/SgfkxSo2cCZBKPovLSa7tsrcJzGQa+fzC87S4YRvssWVuK pJvfmiA7Fcpgiv2vYjICGrCKZkyK8v8rvEnaRpOFyj0EMcc3ZJiS1foQJN34jOxzEqy6 qZaCacv4pE0oevHJzuPK6IIV6VDJmxEF1DML5eLBGxeWUGh5AtmwGUBA7mdvjp+Q17Mv LpLRChCcXvE7gYPE+lSjy3Ksh/FXOQbN3mGtAMlIZsc4Wcn+KUC8gPe8ov9dW1g6nCNr swb3YIcY0gm6NRrFejly0AKDN3l/Wz4C/neNpJDWphlNZkOg3sgQi4R6/2GXtTF6SMGN SONA==
X-Gm-Message-State: AOUpUlHRaqrRMiLxXrsOBHrygyhMyqkz6b1TJCUpVlcyaNmTSonPFxH3 MXQu0c0RGdkUsgmlbgEGs8ioUGRaEM6wvsyYY6FJp7MhzSs=
X-Google-Smtp-Source: AAOMgpc0uZpA7uKd4MS51yXu9Nc9Q+wmthnPqTCj7LJcxn94F9M6mo8IgYSoAnLjBD6b2NXofDcu9jbBwDfFF4THd0c=
X-Received: by 2002:a19:7403:: with SMTP id v3-v6mr1492316lfe.97.1531839745569; Tue, 17 Jul 2018 08:02:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Tue, 17 Jul 2018 08:01:44 -0700 (PDT)
In-Reply-To: <20180717145727.8642646.41749.26614@blackberry.com>
References: <DE8E4C1F24911E469CC24DD4819274AA2770426C@mail-essen-01.secunet.de> <20180717155550.1a18202e@computer> <20180717145727.8642646.41749.26614@blackberry.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 17 Jul 2018 08:01:44 -0700
Message-ID: <CABcZeBNjsU+FLdF7nnfhaqLWDNU5HHcX-W_261wmAfWqmMqm+w@mail.gmail.com>
To: Dan Brown <danibrown@blackberry.com>
Cc: Hanno Böck <hanno@hboeck.de>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e34ca30571333b74"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XsfvO9E5UcQyy6GKicRjc_25Dyg>
Subject: Re: [TLS] Why are the brainpool curves not allowed in TLS 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 15:02:44 -0000

Well, I note that the text also says "or have had very little usage,"

-Ekr


On Tue, Jul 17, 2018 at 7:57 AM, Dan Brown <danibrown@blackberry.com> wrote:

> It's mainly due to CFRG's advice, isn't it?
> Calling other curves potentially unsafe or inappropriate for general use
> is a bit harsh and outside the scope of TLS, isn't it?
> As to using a narrow or wide set of curves, there are reputable proposals
> for the latter:
>
> ia.cr/2015/647 and ia.cr/2015/366
>
> which may be too slow for TLS, or lacking in some other practicalities,
> but it is hard to conclude it is riskier or less secure.
>
> If it's not too late then an editorial softening for the reason for the
> set of allowed TLS curves makes sense.
>
> Best regards,
>
> Dan
>
>
>   Original Message
> From: Hanno Böck
> Sent: Tuesday, July 17, 2018 9:56 AM
> To: tls@ietf.org
> Subject: Re: [TLS] Why are the brainpool curves not allowed in TLS 1.3?
>
>
> Hi,
>
> I think there's been a mentality change in the TLS community that
> explains this.
> Back when Brainpool curves were standardized there was a "more is
> better" mentality when it came to algorithms. I.e. if an algorithm is
> not broken it's good to have it in TLS. Particularly all kinds of
> nationalized algs made it into TLS.
>
> There's a very strong reason against this: It creates complexity. More
> opportunities for attacks, more fragmentation of the ecosystem. I
> believe I speak for a lot of people here when I say that fewer
> algorithms is better and having more algs "just because" is not a good
> reason. With that in mind an algorithm doesn't have to be weak to be
> removed from TLS. It's reason enough if it's rarely used and doesn't
> have a significant advantage over alternatives.
>
> Brainpool curves were never widely used in mainstream deployments of TLS
> (aka browsers). They have no significant advantage over the other
> choices. They pretty much exist because Germany wanted to have their
> homegrown crypto algorithm, too, meaning they exist for nationalistic
> reasons, not technical ones. So deprecating them has the same reason we
> don't have SEED or Camellia in TLS any more.
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: hanno@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email