[TLS] Update draft on Curve25519/Curve448 in (D)TLS
Simon Josefsson <simon@josefsson.org> Mon, 06 July 2015 12:08 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 451E61ACE50 for <tls@ietfa.amsl.com>; Mon, 6 Jul 2015 05:08:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJpxRbnOka8T for <tls@ietfa.amsl.com>; Mon, 6 Jul 2015 05:08:00 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 107AA1ACE3D for <tls@ietf.org>; Mon, 6 Jul 2015 05:07:59 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t66C7m4F004357 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <tls@ietf.org>; Mon, 6 Jul 2015 14:07:49 +0200
X-Hashcash: 1:22:150706:tls@ietf.org::tDvYZ5asLWA8hpEb:CBC5
From: Simon Josefsson <simon@josefsson.org>
To: tls@ietf.org
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
Date: Mon, 06 Jul 2015 14:07:47 +0200
Message-ID: <87vbdxcwvg.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/fLF1XMblJIJ9Jm9viUqk4kiHcZo>
Subject: [TLS] Update draft on Curve25519/Curve448 in (D)TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 12:08:02 -0000
Hi all, Version -01 of draft-ietf-tls-curve25519 has been posted, please see: https://tools.ietf.org/html/draft-ietf-tls-curve25519-01 Changes include: - Added Curve448/Ed448-Goldilocks. - Dropped the new ECPointFormat value and use "uncompressed" instead. - Clarified the logic for ECDSA compatibility. The open issues that I am aware of, and would appreciate feedback/suggestions on, are: - Compatibility with signing algorithm selection. The text now says: Since Curve25519 and Curve448 are Diffie-Hellman functions, and not applicable as signatures algorithms, clients who offer ECDHE_ECDSA ciphersuites and advertise support for Curve25519/Curve448 in the elliptic_curves ClientHello extension SHOULD also advertise support for at least one curve suitable for ECDSA signatures. Servers MUST NOT select an ECDSA certificate if there are no common curves suitable for ECDSA signing. This wording should permit use of Ed25519 for signing (assuming it is treated as a ECDSA signature) once that is available, and NIST P-256 for ECDSA certs now. The wording is a bit complicated, and might say more than what we actually need to enforce at this point. For example, the last sentence ought to be covered by other specification text already, and doesn't appear to me to be a new requirement introduced by this document. Maybe we can find the reference and add it instead. The SHOULD is a bit wishy-washy, why isn't it a MUST? I am also not confident that this text is aligned with TLS 1.3. - Naming of Curve448 / Ed448-Goldilocks. Is Ed448-Goldilocks the name of the curve, and Curve448 the name of the Diffie-Hellman function based on the curve? Naming is not terribly clear from the CFRG draft nor the upstream Ed448-Goldilocks paper. The latter does not mention the word Curve448 at all but does talk about ECHDE. Alas, the situation with naming of Curve25519 is not a lot better. Perhaps the only thing we can aspire to is to avoid confusion as to which curve/function is referred to. I believe everyone understand what is meant by the terms Curve25519, Curve448 and Ed448-Goldilocks anyway. Perhaps getting everyone to agree on terminology naming is simply infeasible. - Is anything more required for TLS 1.3 compatibility/alignment? - Amount of crypto details (Appendix A). Ideally I would prefer if the CFRG draft contained all the crypto details, but not all of it has been carried over to that document. I don't know what the status is on the CFRG document, so I left the majority of the Curve25519 details in this document pending clarity. - Section 2.3 on public key validation. I would prefer if this went into the CFRG document too. The source code for this draft is maintained in this repository, and pull requests are welcome: https://gitlab.com/jas/ietf-tls-newcurves /Simon
- [TLS] Update draft on Curve25519/Curve448 in (D)T… Simon Josefsson
- Re: [TLS] Update draft on Curve25519/Curve448 in … Ilari Liusvaara