Re: [TLS] Curve25519 in TLS

Rob Stradling <rob.stradling@comodo.com> Thu, 12 September 2013 12:52 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0FBD11E8113 for <tls@ietfa.amsl.com>; Thu, 12 Sep 2013 05:52:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6JVJWzvbWBL for <tls@ietfa.amsl.com>; Thu, 12 Sep 2013 05:52:01 -0700 (PDT)
Received: from mmmail1.mcr.colo.comodoca.net (mdfw.comodoca.net [91.209.196.68]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED8C11E8231 for <tls@ietf.org>; Thu, 12 Sep 2013 05:52:00 -0700 (PDT)
Received: (qmail 26713 invoked from network); 12 Sep 2013 12:51:58 -0000
Received: from ian.brad.office.comodo.net (192.168.0.202) by mail.colo.comodoca.net with ESMTPS (DHE-RSA-AES256-SHA encrypted); 12 Sep 2013 12:51:58 -0000
Received: (qmail 9713 invoked by uid 1000); 12 Sep 2013 12:51:58 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Thu, 12 Sep 2013 13:51:58 +0100
Message-ID: <5231B8ED.7040301@comodo.com>
Date: Thu, 12 Sep 2013 13:51:57 +0100
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Simon Josefsson <simon@josefsson.org>
References: <a84d7bc61003011620i66fc7dfdre62b548fdd5ef7dd@mail.gmail.com> <522D25B9.7010506@funwithsoftware.org> <56C25B1D-C80F-495A-806C-5DD268731CD4@qut.edu.au> <87zjrl21wp.fsf_-_@latte.josefsson.org> <522ED9A7.7080802@comodo.com> <87fvtbi8ow.fsf@latte.josefsson.org>
In-Reply-To: <87fvtbi8ow.fsf@latte.josefsson.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Patrick Pelletier <code@funwithsoftware.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Curve25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2013 12:52:07 -0000

On 11/09/13 18:12, Simon Josefsson wrote:
> Rob Stradling <rob.stradling@comodo.com>; writes:
>
>> Simon, thanks for creating this draft.
>>
>> draft-merkle-tls-brainpool-04 (on which you've based this new draft) says:
>>     "While the ASN.1 object identifiers
>>     defined in [RFC5639] already allow usage of the ECC Brainpool curves
>>     for TLS (client or server) authentication through reference in X.509
>>     certificates according to [RFC3279] and [RFC5480] , their negotiation
>>     for key exchange according to [RFC4492] requires the definition and
>>     assignment of additional NamedCurve IDs."
>>
>> Your draft defines a NamedCurve ID for Curve25519, thereby enabling it
>> to be used for key exchange.  But what about "(client or server)
>> authentication through reference in X.509 certificates..."?
>>
>> I'm not aware of an equivalent of RFC5639 for Curve25519.  Should we
>> create one?  Or could we simply define some new ASN.1 Object
>> Identifiers in your draft?
>
> Yes perhaps.  What would the purpose of using Curve25519 in X.509
> certificates be?

I just thought it seemed like a logical thing to do.  We can already do 
ECDHE-ECDSA using the NIST curves for both keys in certs and for key 
exchange, so why wouldn't we allow Curve25519 to be used for both purposes?

Unless NIST can prove that their curves aren't backdoored, I think it's 
likely that some folks (rightly or wrongly) will want to do ECDHE-ECDSA 
without touching the NIST curves at all.  What options do they have?

> Performance is less critical there than for ECDH, but
> if you or someone else has numbers indicating X.509 signature
> verification being a performance bottle neck I would be convinced
> otherwise.  There could be other reasons than performance though, but
> they should be articulated and examined.

I don't have any performance figures, I'm afraid.

> RFC 5639 contains a lot of things, is there anything other than the OID
> and PKIX usage you think is relevant for Curve25519?

Pass.

> /Simon

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online