Re: [TLS] Should we require compressed points

[Ilari Liusvaara <ilari.liusvaara@elisanet.fi>]

On Tue, Oct 28, 2014 at 02:52:24PM +0000, Viktor Dukhovni wrote:
> On Tue, Oct 28, 2014 at 10:35:25AM +0100, Manuel P?gouri?-Gonnard wrote:
> 
> > On 27/10/2014 23:10, Eric Rescorla wrote:
> > > As I said above, I'm principally trying to get rid of negotiation so we have
> > > one point format for each curve. I could certainly live with requiring 
> > > uncompressed only for the X9.62 curves and then defining a new, cleaner
> > > format for the new CFRG curves.
> >
> > If the goal is to get rid of negotiation, would it be reasonable to say that
> > implementations MUST support both formats?
> 
> I think that Bodo's suggestion of separate IANA assignments for
> compressed and uncompressed variants of curves makes the most sense.
> 
> With that, clients that need to interoperate with TLS <= 1.2 can
> send the point format extension indicating uncompressed format for
> legacy curves, and include the code points for the legacy
> format-ambiguous curves, and send new code points for (some of the
> same underlying) curves that have an implied format.
> 
> Brand new curves would then ideally be registered with a single
> preferred point format that is most suitable for the curve.

And the new code points also presumably used the fixed wire format
(whatever that happens to be) for the premaster secret (because that
is another thing that currently assumes X9.63 curves)?

With that in, one could handle anything CFRG might throw at us, and
more.


-Ilari