Re: [TLS] I-D Action: draft-ietf-tls-curve25519-01.txt

Hubert Kario <hkario@redhat.com> Mon, 20 July 2015 11:42 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0507C1A0377 for <tls@ietfa.amsl.com>; Mon, 20 Jul 2015 04:42:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e-5E2etSN3E9 for <tls@ietfa.amsl.com>; Mon, 20 Jul 2015 04:42:55 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D76371A6EEC for <tls@ietf.org>; Mon, 20 Jul 2015 04:42:09 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (Postfix) with ESMTPS id 5E7FBA2C19; Mon, 20 Jul 2015 11:42:09 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (dhcp-0-167.brq.redhat.com [10.34.0.167]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t6KBg7vO031691 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 20 Jul 2015 07:42:09 -0400
From: Hubert Kario <hkario@redhat.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Mon, 20 Jul 2015 13:42:01 +0200
Message-ID: <13826499.nuPJpBKYuN@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.9 (Linux/4.0.6-200.fc21.x86_64; KDE/4.14.9; x86_64; ; )
In-Reply-To: <20150720113903.GA29356@LK-Perkele-VII>
References: <20150706114814.10143.87075.idtracker@ietfa.amsl.com> <4270669.Na8fLuOzTD@pintsize.usersys.redhat.com> <20150720113903.GA29356@LK-Perkele-VII>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2682126.1F0lNH3VEJ"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qe_F0Tjuf2gWE-DXBl7iTATkL-k>
Cc: Simon Josefsson <simon@josefsson.org>, tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-curve25519-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 11:42:57 -0000

On Monday 20 July 2015 14:39:03 Ilari Liusvaara wrote:
> On Mon, Jul 20, 2015 at 12:55:37PM +0200, Hubert Kario wrote:
> > On Tuesday 14 July 2015 17:23:44 Simon Josefsson wrote:
> > > Compare how we "reuse" the ECDHE ciphersuite values to refer to
> > > Curve25519 (instead of defining new ciphersuites for Curve25519), and
> > > how we are "reusing" the "uncompressed" code point to refer to
> > > Curve25519-compressed code points (instead of defining new
> > > ECPointFormat).
> > 
> > the point is, that if Ed25519 for signatures is defined, an implementation
> > that doesn't understand it[1] can't advertise that fact
> 
> Are you thinking about 1.0/1.1? In 1.2 it can: signature_algorithms
> (I'm not confident new signature algorithm would work without either
> that nor new ciphersuites).
> 
> 
> There are other shortcomings tho:
> - If Ed25519 is supported, one also needs to support Curve25519.
> - If Ed25519 and Curve448 are supported, one needs to support
>   Curve25519 and Ed448.
> - And the cross case from previous.
> 
> So with the same, in TLS 1.2, the following combinations would
> be possible:
> - None at all.
> - Curve25519
> - Curve448
> - Curve25519 & Curve448
> - Curve25519 & Ed25519
> - Curve448 & Ed448
> - Curve25519 & Curve448 & Ed25519 & Ed448.

if we define separate codepoints for Curve25519 and Ed25519, yes
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic