[TLS] Update draft on Curve25519/Curve448 in (D)TLS

Simon Josefsson <simon@josefsson.org> Mon, 06 July 2015 12:08 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 451E61ACE50 for <tls@ietfa.amsl.com>; Mon, 6 Jul 2015 05:08:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJpxRbnOka8T for <tls@ietfa.amsl.com>; Mon, 6 Jul 2015 05:08:00 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 107AA1ACE3D for <tls@ietf.org>; Mon, 6 Jul 2015 05:07:59 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t66C7m4F004357 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <tls@ietf.org>; Mon, 6 Jul 2015 14:07:49 +0200
X-Hashcash: 1:22:150706:tls@ietf.org::tDvYZ5asLWA8hpEb:CBC5
From: Simon Josefsson <simon@josefsson.org>
To: tls@ietf.org
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
Date: Mon, 06 Jul 2015 14:07:47 +0200
Message-ID: <87vbdxcwvg.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/fLF1XMblJIJ9Jm9viUqk4kiHcZo>
Subject: [TLS] Update draft on Curve25519/Curve448 in (D)TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 12:08:02 -0000

Hi all,

Version -01 of draft-ietf-tls-curve25519 has been posted, please see:

https://tools.ietf.org/html/draft-ietf-tls-curve25519-01

Changes include:

- Added Curve448/Ed448-Goldilocks.

- Dropped the new ECPointFormat value and use "uncompressed" instead.

- Clarified the logic for ECDSA compatibility.

The open issues that I am aware of, and would appreciate
feedback/suggestions on, are:

- Compatibility with signing algorithm selection.  The text now says:

    Since Curve25519 and Curve448 are Diffie-Hellman functions, and not
    applicable as signatures algorithms, clients who offer ECDHE_ECDSA
    ciphersuites and advertise support for Curve25519/Curve448 in the
    elliptic_curves ClientHello extension SHOULD also advertise support
    for at least one curve suitable for ECDSA signatures.  Servers MUST
    NOT select an ECDSA certificate if there are no common curves
    suitable for ECDSA signing.

  This wording should permit use of Ed25519 for signing (assuming it is
  treated as a ECDSA signature) once that is available, and NIST P-256
  for ECDSA certs now.

  The wording is a bit complicated, and might say more than what we
  actually need to enforce at this point.  For example, the last
  sentence ought to be covered by other specification text already, and
  doesn't appear to me to be a new requirement introduced by this
  document.  Maybe we can find the reference and add it instead.  The
  SHOULD is a bit wishy-washy, why isn't it a MUST?

  I am also not confident that this text is aligned with TLS 1.3.

- Naming of Curve448 / Ed448-Goldilocks.

  Is Ed448-Goldilocks the name of the curve, and Curve448 the name of
  the Diffie-Hellman function based on the curve?

  Naming is not terribly clear from the CFRG draft nor the upstream
  Ed448-Goldilocks paper.  The latter does not mention the word Curve448
  at all but does talk about ECHDE.

  Alas, the situation with naming of Curve25519 is not a lot better.

  Perhaps the only thing we can aspire to is to avoid confusion as to
  which curve/function is referred to.  I believe everyone understand
  what is meant by the terms Curve25519, Curve448 and Ed448-Goldilocks
  anyway.  Perhaps getting everyone to agree on terminology naming is
  simply infeasible.

- Is anything more required for TLS 1.3 compatibility/alignment?

- Amount of crypto details (Appendix A).  Ideally I would prefer if the
  CFRG draft contained all the crypto details, but not all of it has
  been carried over to that document.  I don't know what the status is
  on the CFRG document, so I left the majority of the Curve25519 details
  in this document pending clarity.

- Section 2.3 on public key validation.  I would prefer if this went
  into the CFRG document too.

The source code for this draft is maintained in this repository, and
pull requests are welcome: https://gitlab.com/jas/ietf-tls-newcurves

/Simon