IETF Logo Mail Archive

Re: [TLS] Should we require compressed points

Michael StJohns <msj@nthpermutation.com> Tue, 21 October 2014 15:16 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4360C1A8731 for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 08:16:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OSIPamDdujgT for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 08:16:36 -0700 (PDT)
Received: from mail-qc0-f170.google.com (mail-qc0-f170.google.com [209.85.216.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E29581A872A for <tls@ietf.org>; Tue, 21 Oct 2014 08:16:35 -0700 (PDT)
Received: by mail-qc0-f170.google.com with SMTP id m20so1109274qcx.29 for <tls@ietf.org>; Tue, 21 Oct 2014 08:16:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=thF97ogD3E5PFpQhvoqp20iJ55H+NMznkHlfT3o2sOo=; b=ZPBO5ChbLeEBPibJKRO0TacVi1v+Uum7EqFnJqJZfdlYHBVsFJvde+mH9HVbha6eqe OIv0+kvMKMAt/JPnUL+YkMd7L4IzMIYpSMSO0tDJvM6My5Z4P/QmAiIuwSU8xpm27RIz FQvt+FPghETEfKbi6++WD2ylT2tTg+mUYHVJ1rPUWZT/xEZc1IcOw2KsqIODCM5Ti2U7 GHfLHaSILOk6vg0wfoO6T+kOHtl0/8YlRX6yO4yiqgAr1vyMCqyzmUo9VTvHwzzkEIe2 3BwbZrkgg/+65TFYNpzXV+DgzXx7cj6AIvytjDGS+gsxE8CehjeKI2O8K+ZodIaCaSeA hbvA==
X-Gm-Message-State: ALoCoQn3+G+1BY1ej8gW4rG1ukt4Er7C3KrPQHELekMYLhlrjx/Yflu3ltVslfISqjDThZ08bv+S
X-Received: by 10.224.79.211 with SMTP id q19mr14625596qak.101.1413904591783; Tue, 21 Oct 2014 08:16:31 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:e7:95c6:bde0:689a:9257? ([2601:a:2a00:e7:95c6:bde0:689a:9257]) by mx.google.com with ESMTPSA id a10sm10937811qam.7.2014.10.21.08.16.31 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Oct 2014 08:16:31 -0700 (PDT)
Message-ID: <544678E8.4080708@nthpermutation.com>
Date: Tue, 21 Oct 2014 11:16:56 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com> <2108842737.16216761.1413903671102.JavaMail.zimbra@redhat.com>
In-Reply-To: <2108842737.16216761.1413903671102.JavaMail.zimbra@redhat.com>
Content-Type: multipart/alternative; boundary="------------050804010503050206090102"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/iaO6Bp7JZKVpbA2-52fsHsifqpU
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 15:16:38 -0000

On 10/21/2014 11:01 AM, Hubert Kario wrote:
> ------------------------------------------------------------------------
>
>     *From: *"Eric Rescorla" <ekr@rtfm.com>
>     *To: *tls@ietf.org
>     *Sent: *Tuesday, 21 October, 2014 4:52:29 PM
>     *Subject: *[TLS] Should we require compressed points
>
>     https://github.com/tlswg/tls13-spec/issues/80
>
>     Today we discussed the possibility of requiring support for
>     compressed points
>     in TLS 1.3 now that the IPR has expired.
>
>     Specifically, I propose that for TLS 1.3, we:
>
>     - Use only compressed points for the existing curves (and presumably
>       whatever superior format is defined for the CFRG-recommended
>       curves, as appropriate).
>
>     - Deprecate the Supported Point Formats extension for TLS 1.3
>
>
>     For RFC 4492-bis, we might also consider requiring support for
>     compressed
>     points as well as uncompressed (already required) but this seems
>     like a
>     separable issue, since it's mostly in service of optimization
>     rather than
>     simplicity.
>
>
> How does that impact possibility of adding more "exotic" curves like 
> curve25519/Ed25519
> in some later point in time?

My personal opinion is that there needs to be a complete separation in 
encodings and code points between X9.63 compliant EC data and anything 
else.

In the specific case of the curves you mention, unlike X9.63 curves, 
signing curves/keys and key agreement curves/keys are not 
interchangeable or compatible.  They are actually two different crypto 
systems and will probably require different code points  and maybe 
encodings.

The other classes of curves that don't have an X9.63 (Montgomery?) 
representation will need similar treatment.

Mike

> -- 
> Regards,
> Hubert Kario
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email