IETF Logo Mail Archive

Re: [TLS] Should we require compressed points

Michael StJohns <msj@nthpermutation.com> Tue, 21 October 2014 15:13 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 329361A8722 for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 08:13:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rBT1ULIFZX4h for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 08:12:59 -0700 (PDT)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2793E1A8778 for <tls@ietf.org>; Tue, 21 Oct 2014 08:11:18 -0700 (PDT)
Received: by mail-qa0-f44.google.com with SMTP id x12so961871qac.31 for <tls@ietf.org>; Tue, 21 Oct 2014 08:11:15 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=Fr0p4KxZTrsmqy+H6U17hP2CsvmBgkpCznt+2e66buM=; b=BCciIFq4u4v2kBJzypNe43BU8YJTS36wiwu0PjrxFklizRmk/HKuqCxVcnypyVj9k4 OgLKe93uxdzXHOFJL65ldoO9xxg33PRZZy0OO5517RSXI+NHF+DaTGUaxdRdjP41HpnN 9eUGCmxN7oOY/gPR+oN2WnSjOCb925gpySTdAz1sgZ4jhYFPb28KRawAP1M92SYEWh6m GMKCMjaYxx9IsWYvQ9IFonFfsgJNQE1qZPuX7lE7rr/QXu5H6W+UdgVPdl6usYjFh2g7 s4RLwanIdMyLiMf4ObLVPwTKWUN6hnPk1oI0LuiunDtyJEQ5wR9W9D64h0lYtmQo++dg makA==
X-Gm-Message-State: ALoCoQn/ECkXIce07mUmjOvl2bbDws67lCWE/9MGdFM4ur7GjR4jdVZPs7EYYHrKOSOnZTZpZWrZ
X-Received: by 10.140.109.53 with SMTP id k50mr44580258qgf.83.1413904275647; Tue, 21 Oct 2014 08:11:15 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:e7:95c6:bde0:689a:9257? ([2601:a:2a00:e7:95c6:bde0:689a:9257]) by mx.google.com with ESMTPSA id g94sm10916130qgd.0.2014.10.21.08.11.15 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Oct 2014 08:11:15 -0700 (PDT)
Message-ID: <544677AE.4000005@nthpermutation.com>
Date: Tue, 21 Oct 2014 11:11:42 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com>
In-Reply-To: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------080205020208050708060106"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Ze4HYryr9JThxqmcunMZcN29jDU
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 15:13:02 -0000

On 10/21/2014 10:52 AM, Eric Rescorla wrote:
> https://github.com/tlswg/tls13-spec/issues/80
>
> Today we discussed the possibility of requiring support for compressed 
> points
> in TLS 1.3 now that the IPR has expired.
>
> Specifically, I propose that for TLS 1.3, we:
>
> - Use only compressed points for the existing curves (and presumably
>   whatever superior format is defined for the CFRG-recommended
>   curves, as appropriate).
>
> - Deprecate the Supported Point Formats extension for TLS 1.3

I'm pretty much opposed to the former and I guess by extension the latter.

There's a very large body of code that doesn't support anything except 
type 0x04(uncompressed) X9.63 point encodings.   If you want to add 
support for compressed points (or hybrid compressed), I don't think 
that's necessarily a bad idea, but not at the expense of removing 
support for uncompressed points.   If you wanted to remove the supported 
point format extension, I guess you could mandate support for both 
compressed and uncompressed (and hybrid?).

As a second item, I would estimate the  chance we're going to see 
compressed points in X509 certificates as a regular thing prior to about 
10 years from now as very small, meaning that any general transition to 
EC based suites is going to require uncompressed point support.

Lastly, while the base IPR for point compression seems to be no longer 
of concern, I've still been told to avoid it for a few more years due to 
implementation patents related to compression.  I'm not sure how 
worrisome that is, but its one of the reasons that binary curves aren't 
in broader use still.

Just my $.02

Mike

>
>
> For RFC 4492-bis, we might also consider requiring support for compressed
> points as well as uncompressed (already required) but this seems like a
> separable issue, since it's mostly in service of optimization rather than
> simplicity.
>
> What do people think?
> -Ekr
>
>
>
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email