Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
Alyssa Rowan <akr@akr.io> Wed, 02 April 2014 18:22 UTC
Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AFF81A0326 for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 11:22:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.502
X-Spam-Level:
X-Spam-Status: No, score=-0.502 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BfcTnxhoajxR for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 11:21:58 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 57F101A03B9 for <tls@ietf.org>; Wed, 2 Apr 2014 11:21:58 -0700 (PDT)
Received: from [10.10.42.10] (cpc5-derb12-2-0-cust796.8-3.cable.virginm.net [82.31.91.29]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by entima.net (Postfix) with ESMTPSA id DACC160171 for <tls@ietf.org>; Wed, 2 Apr 2014 19:21:53 +0100 (BST)
Message-ID: <533C554A.7080607@akr.io>
Date: Wed, 02 Apr 2014 19:22:02 +0100
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: tls@ietf.org
References: <87ob3456s1.fsf@latte.josefsson.org> <20140402164340.GA14790@roeckx.be>
In-Reply-To: <20140402164340.GA14790@roeckx.be>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ctszNoNjedg3Gp-lxRCL6y_GMHo
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 18:22:03 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/04/2014 17:43, Kurt Roeckx wrote: > So what's the status of this? [draft-josefsson-tls-curve25519] As I recall, there were only three issues raised in the discussion in January (and one tiny one I'm raising now that is very easily fixed in the normal course of RFC editing). Discussion seemed to just peter out after then. If I may summarise where we left off (and _please_ speak out if you feel I'm grossly mischaracterising anything or got anything wrong!):— 1. Draft-04 uses its own point format, a 'big-endian' representation, (and adds a length byte). That differed from every existing Curve25519 implementation in the wild, which use a 'little-endian' representation. • Both Rich Salz and Robert Ransom spoke strongly for simply using the existing little-endian format used by all Curve25519 implementations already in the wild, and pointed out there was no technical reason to break compatibility and change that to anything else. [No such technical reasons were seemingly presented in the ensuing discussion. /akr] • Manuel Pégourié-Gonnard wasn't married to the point format in -04, had no objection to using the existing little-endian format, and requested comments 'in the next few days' from anyone who did have objections. • Watson Ladd said endianness wasn't a good reason to vote no, and asked please not to reignite the endianness 'holy war'. • Nikos Mavrogiannopoulos pointed out protocols are often expected to outlive existing implementations and aren't typically designed based on them. [Although this one would, presumably, be an exception? /akr] He also pointed out almost all IETF protocols use the big-endian format for transferring integers, so that implementations would be prepared for any endian issues anyway. • James Cloos suggested 'Internet-endian is the better choice'. [I presume, from context, that he meant big-endian. /akr] • Bill Frantz simply pointed out that it wouldn't be unprecedented to have little-endian data in an Internet Protocol. [For what it's worth - i.e. almost nothing! - I myself favour matching the Curve25519 reference: so, little-endian. /akr] 2. We need to specify what, exactly, to do with the unused high bit. As the discussion in January covered, except for one, buggy implementation, all Curve25519 implementations in the wild always produce 0, and always ignore it. We should probably specify that as required behaviour; it allows for using it for something else later, which was discussed. Manuel agreed that implementations SHOULD mask off the high bit. That's not in draft-04, but it should be in -05? There was talk about maybe using it later for sign-of-y or something else, for other protocols. I don't know if that went anywhere. [Again, I favour the draft simply matching the original Curve25519 implementation: high bit SHOULD be 0, high bit SHOULD be ignored. /akr] 3. The length byte was talked about, and the consensus seemed broadly to be: specify 32 now, allow 64 for if we want, say, an Edwards-form y-coordinate for some other protocol later, and have the first 32 bytes of that match the 32-byte format. [I have no position on this. /akr] 4. The NamedCurve value allocation is still [TBD1] in -04 - we'd need an actual value allocated before implementing that in the wild (outside of pure testing, where we can just use a private value)? That's about all I can remember. Were there any other substantive issues? Thanks for reminding us about the stalled discussion. I'm keen to start getting things out there myself: if we can wrap up the remaining issues, I think that'd be good for everyone. - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTPFVKAAoJEOyEjtkWi2t6o3kP/1ZWnVr5jd7m3/S8H/IBY7kK 7VWgjlrgb3x6QqflU5xDwgrGNelp2m5FY4IKKUr0DPfIvGkXP+vKttXO+EWligq8 biP+DeObsstJ3Sb9tqd1pD4is3/Wb/Y6Zbo2PE+Qu5edF5wFX1lTJPtqMl9Lh6Ux Wev+dgQD7EXf+tgw9MXB92dhs9qS+zMFBUfH79QEC7QJI4kH7KCQlzTVBHB0Px1g wesrN0QEpgx1lY2/dw2lnejZaty6dsjbGKtYB416+qpNSlKvwSHchnFfz8dd/Krp u8+/JW3hLgnQsv8DzFHj31ZQAYoE/3HjrqXqm9bA2U4CtuVl+Crhprc+7f7JpuXi YfRZfY4+VswW2LRLRSHf1Gxa2oURqpEzYyk4R5XH7lIVBnD0nEqMoxLrHr3leA9a aDhse6SCbytpACrpVh/a/U9mf27jT7yno9KVdGeX/0WdJQRDPu3s+gN26/38jwCk tw3rxzCv911r4T7NA0vnwRW6lZLwAf6TWo64xJHcvDpq1QUFE61MJSOx4Z2H0xQ1 bXcZQoejEEkutYH0HXdbpsgr4aHsle8emwW9UdP6yyFzdRgN43QkAFUmKkMdRcrB rVQoPPxuiTPr4VM/Ii4vOViOjvaHoEuN1cKt+F1oPV5/33uhQt1oA10cvomM4QZ9 RwgW7YnKIyZ0HxwGlkyn =bm10 -----END PGP SIGNATURE-----
- [TLS] Curve25519 in TLS and Additional Curves in … Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… James Cloos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Bill Frantz
- Re: [TLS] Curve25519 in TLS and Additional Curves… Kurt Roeckx
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Daniel Kahn Gillmor
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Yoav Nir
- Re: [TLS] Curve25519 in TLS and Additional Curves… Fabrice
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard