IETF Logo Mail Archive

Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 27 June 2014 11:34 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 558531B2F6C for <tls@ietfa.amsl.com>; Fri, 27 Jun 2014 04:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P70YQXxJo37z for <tls@ietfa.amsl.com>; Fri, 27 Jun 2014 04:34:55 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 5E2A31B3170 for <tls@ietf.org>; Fri, 27 Jun 2014 04:34:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C2035BE50; Fri, 27 Jun 2014 12:34:41 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n1lNm5lZqp3Y; Fri, 27 Jun 2014 12:34:41 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 9ED50BE4D; Fri, 27 Jun 2014 12:34:41 +0100 (IST)
Message-ID: <53AD56D2.7060200@cs.tcd.ie>
Date: Fri, 27 Jun 2014 12:34:42 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>, Michael StJohns <msj@nthpermutation.com>
References: <53AC97B8.2080909@nthpermutation.com> <CABcZeBN5uY4bteXW=OFC1z3ANoSC8AqxG6E6artdOKPF=VxdJg@mail.gmail.com>
In-Reply-To: <CABcZeBN5uY4bteXW=OFC1z3ANoSC8AqxG6E6artdOKPF=VxdJg@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jIi1KXUDzbiSy4Hq9YtFGZIjMOQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jun 2014 11:34:58 -0000

Hiya,

On 26/06/14 23:10, Eric Rescorla wrote:
> Also, this seems like a bigger topic than TLS. Perhaps the
> AD should sponsor a discussion in SAAG?

Yes, this is not TLS specific, though its probably not really
possible to have no discussion of it here since TLS is likely
the first large "customer" for 25519 in the IETF, if the WG
choose to go that route.

CFRG is definitely a better location for any detailed crypto
discussion, i.e. for all algorithm internals. As noted before
there was no indication from CFRG at the interim that 25519
is problematic. That's not quite as ringing an endorsement
as has been represented here, but I figure cryptographers are
going to be like lawyers for this  - they'll never all agree
an algorithm/curve is perfect;-) So its also possible CFRG
might come up with more curves that they also like and that's
fine. If someone wants more curves generated, CFRG is the
place to chat about that and not here.

But at that interim 25519 was definitely considered ok for
use in IETF protocols - there was no dissent when I (more
than once) directly asked that question and said that I
wanted to hear dissent should there be any. The proximate
cause for my question was allocating a codepoint for ed25519
for ssh, which has happened and the associated draft has
completed IETF LC, also without any criticism of the use
of 25519. I'm waiting for an updated I-D on that before
putting it on an IESG telechat for approval, but my reading
of the IETC LC was that there were no cryptographic issues
raised at all. That IETF LC is also evidence that the IETF
consider 25519 is ok. That said, when/if TLS decide to use
it, I expect there'll be more interest in the IETF LC for
that, so we'll see what happens then.

For now anyway, my interpretation is that we don't have any
cryptographic (nor declared IPR) reason to not use 25519 if a
WG choose to want it. However, there is some more work to be
done to document that so it can be used by WGs. I think that's
being done by CFRG though, but if not, or if there are more
generic bits that need discussion then saag seems like a fine
list for that. If you think such a discussion on saag is needed
then please ping me offlist to explain exactly what we need
to discuss there (since I'm not clear about that). In the
meanwhile most of this thread does seem to me to better belong
on the CFRG list and is basically a distraction for TLS.

Also, I have to say the language in Mike's original mail was,
at best, unfortunate, e.g. "small but vocal minority agitating"
is not likely to kick off a calm reasoned debate, and is
definitely not going to help the TLS WG keep focused on its
work so I really hope folks don't respond in kind, and if the
chairs want to loudly stomp on threads with such language
(regardless of source and mostly regardless of topic) they
have my full backing.

Cheers,
S.

v2.23.0 | Report a Bug | By Email