Re: [TLS] Ed25519 for PKIX

Simon Josefsson <simon@josefsson.org> Tue, 24 September 2013 20:07 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BAE121F9C37 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 13:07:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.562
X-Spam-Level:
X-Spam-Status: No, score=-102.562 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvOwoDZ52ujM for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 13:07:09 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) by ietfa.amsl.com (Postfix) with ESMTP id EBCE221F9AF0 for <tls@ietf.org>; Tue, 24 Sep 2013 13:07:05 -0700 (PDT)
Received: from latte.josefsson.org (static-213-115-179-130.sme.bredbandsbolaget.se [213.115.179.130]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id r8OK6t7Q010006 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 24 Sep 2013 22:06:57 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Adam Langley <agl@google.com>
References: <a84d7bc61003011620i66fc7dfdre62b548fdd5ef7dd@mail.gmail.com> <522D25B9.7010506@funwithsoftware.org> <56C25B1D-C80F-495A-806C-5DD268731CD4@qut.edu.au> <87zjrl21wp.fsf_-_@latte.josefsson.org> <522ED9A7.7080802@comodo.com> <877ge6tf1w.fsf_-_@latte.josefsson.org> <CAL9PXLz_Pw=V6C6nzSZCBgh-zBXdMo780enPqcEnkBWAY730aw@mail.gmail.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:130924:tls@ietf.org::bicOeTJ6SV97VBBk:AXvc
X-Hashcash: 1:22:130924:code@funwithsoftware.org::CsKNXMQnmcflcYq4:A6Cd
X-Hashcash: 1:22:130924:agl@google.com::Qnxae1OP2Cx2BYWK:CFjc
Date: Tue, 24 Sep 2013 22:06:54 +0200
In-Reply-To: <CAL9PXLz_Pw=V6C6nzSZCBgh-zBXdMo780enPqcEnkBWAY730aw@mail.gmail.com> (Adam Langley's message of "Tue, 24 Sep 2013 11:34:12 -0400")
Message-ID: <87y56mrnkx.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97.8 at duva.sjd.se
X-Virus-Status: Clean
Cc: Patrick Pelletier <code@funwithsoftware.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Ed25519 for PKIX
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 20:07:10 -0000

Adam Langley <agl@google.com>; writes:

> On Tue, Sep 24, 2013 at 11:28 AM, Simon Josefsson <simon@josefsson.org>; wrote:
>> Curve25519 is not directly usable with ECDSA, I believe, so OIDs aren't
>> sufficient.  Ed25519 is more relevant, however it uses the EdDSA
>> signature system instead of ECDSA so possibly more of RFC 5480 has to be
>> duplicated/modified in order for Ed25519 to work.
>
> Curve25519 and Ed25519 are the same curve - Ed25519 just uses the
> twisted Edward's isomorphism of curve25519 to make some calculations
> simpler and then builds a Schnorr-like signature scheme with it.
> (Curve25519 implementations typically use a Montgomery ladder which
> isn't suitable for some of the operations that the signature scheme
> needs.)
>
> (Indeed, one can use the Ed25519 code to perform fixed-base,
> curve25519 operations faster than the curve25519 code.)

Sure, I know, but I don't see how to get to signing PKIX certs anyway.
Ed25519 is used with EdDSA, not ECDSA.  RFC 5480 is about ECDSA, ECDH,
and ECMQV.  5480 does not specify how EdDSA is used with PKIX.

Are you saying that you would use the ECDSA vehicle of RFC 5480 for
EdDSA as well?  It seems like mild abuse of the acronyms, but I may be
mistaken.

Or perhaps my question really is: how do you think we'll get to signing
PKIX certs using EdDSA with the Ed25519 curve?

My (not published) Ed25519 PKIX draft define OIDs for Ed25519 but I'm
not convinced that is sufficient.

/Simon