Re: [TLS] I-D Action: draft-ietf-tls-curve25519-01.txt

Simon Josefsson <simon@josefsson.org> Tue, 14 July 2015 15:23 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CA211ACEE0 for <tls@ietfa.amsl.com>; Tue, 14 Jul 2015 08:23:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zs6bCSwHD0C0 for <tls@ietfa.amsl.com>; Tue, 14 Jul 2015 08:23:55 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22B091ACEED for <tls@ietf.org>; Tue, 14 Jul 2015 08:23:49 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t6EFNjKw007267 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 14 Jul 2015 17:23:46 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Hubert Kario <hkario@redhat.com>
References: <20150706114814.10143.87075.idtracker@ietfa.amsl.com> <2960351.rch1apE1uy@pintsize.usersys.redhat.com> <87k2u5samu.fsf@latte.josefsson.org> <17744104.AefDTyBEY2@pintsize.usersys.redhat.com>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:150714:tls@ietf.org::ZJyuhKyrEo4wGEoQ:1xlq
X-Hashcash: 1:22:150714:hkario@redhat.com::oHTXsTSxjeLh9YkG:Bkom
Date: Tue, 14 Jul 2015 17:23:44 +0200
In-Reply-To: <17744104.AefDTyBEY2@pintsize.usersys.redhat.com> (Hubert Kario's message of "Tue, 14 Jul 2015 10:34:26 +0200")
Message-ID: <878uairce7.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/wWNL1aa5y4rEYS11wackzoGpnhI>
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-curve25519-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 15:23:57 -0000

Hubert Kario <hkario@redhat.com> writes:

> On Sunday 12 July 2015 16:39:37 Simon Josefsson wrote:
>> Hubert Kario <hkario@redhat.com> writes:
>> > As is described in secion 5.1. of RFC 4492, and then reiterated in
>> > section 2.2. of this draft - the elliptic_curves (a.k.a. supported_groups)
>> > guides both the ECDH curves and curves understandable by peer for ECDSA
>> > signatures.
>> > 
>> > As Curve25519 and Curve448 can only be used for ECDHE, maybe they should
>> > be
>> > 
>> > defined/named in the registry as such, to remove any ambiguity[1]:
>> >          enum {
>> >          
>> >               Curve25519_ecdh(TBD1),
>> >               Curve448_ecdh(TBD2),
>> >          
>> >          } NamedCurve;
>> 
>> I don't care strongly.  One disadvantage with this is that if we decide
>> to reuse these NamedCurve allocations to have something to do with
>> Ed25519, the naming above will be confusing.  However, I believe it is
>> already likely that Ed25519 will have its own NamedCurve.
>
> Given that there certainly will be implementations that support ecdh
> and not the signatures, we certainly *don't* want to reuse this
> codepoint for anything else.
>
> So unless the PKIX and TLS parts are defined at the same time, in the same 
> document, we definitely need to keep them apart.

It is conceivable to reuse the NamedCurve values for TLS authentication
without affecting the ECHDE use, nor delaying the Curve25519 ECDHE work.

Compare how we "reuse" the ECDHE ciphersuite values to refer to
Curve25519 (instead of defining new ciphersuites for Curve25519), and
how we are "reusing" the "uncompressed" code point to refer to
Curve25519-compressed code points (instead of defining new
ECPointFormat).

Allocating new values when that creates additional costs and no improved
clarity seems wasteful to me.  This approach is what people have
suggested for most other allocations here, so I prefer to stick to that
philosophy unless it is clear that there is consensus for something
else.  What do others think?

/Simon