Re: [DNSOP] [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01
Thanks for the update. I think that woudl be helpful to have some text that provides some rational for using Ed25519 versus Ed25519ph and Ed25519ctx as well as Ed448 versus Ed448ph. I belive that is collision resilience as well as offline signing in which case double path does not really matter. Yours, Daniel On Fri, Nov 4, 2016 at 7:59 AM, Ondřej Surýwrote: > And now the examples section contains Ed448 examples as well > generated using eddsa2.py from [CFRG-EDDSA] draft. > > I think now the draft is as good as it gets. Thanks all for > providing guidance. > > O. > -- > Ondřej Surý -- Technical Fellow > > CZ.NIC, z.s.p.o.-- Laboratoře CZ.NIC > Milesovska 5, 130 00 Praha 3, Czech Republic > mailto:ondrej.s...@nic.czhttps://nic.cz/ > > > - Original Message - > > From: "Ondřej Surý" > > To: "Simon Josefsson" > > Cc: "Daniel Migault" , "curdle" < > cur...@ietf.org>, "dnsop" > > Sent: Friday, 4 November, 2016 11:45:14 > > Subject: Re: [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01 > > > Simon, > > > > thanks for all the comments, I have now culled all the context usage > from the > > draft and the git version should be up to date and ready for -2 upload. > > > > Cheers, > > Ondrej > > > > -- > > Ondřej Surý -- Technical Fellow > > > > CZ.NIC, z.s.p.o.-- Laboratoře CZ.NIC > > Milesovska 5, 130 00 Praha 3, Czech Republic > > mailto:ondrej.s...@nic.czhttps://nic.cz/ > > > > > > - Original Message - > >> From: "Simon Josefsson" > >> To: "Daniel Migault" > >> Cc: "curdle" , "dnsop" > >> Sent: Thursday, 3 November, 2016 22:01:38 > >> Subject: Re: [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01 > > > >> Daniel Migault writes: > >> > >>> Hi, > >>> > >>> This message starts a Working Group Last Call (WGLC) for > >>> draft-ietf-curdle-dnskey-eddsa-01. > >>> > >>> The version to be reviewed is > >>> https://tools.ietf.org/html/draft-ietf-curdle-dnskey-eddsa-01 > >> > >> Hello again. Since my last review of -01, I have re-read the document > >> again, and noticed the text regarding signature contexts. I believe the > >> use of contexts is in general ill-advised, and its presence in the > >> document highlights a need for a security consideration to address the > >> problem that context attempts to mitigate but does not succeed with: > >> don't re-use private keys for other purposes. If this best practice > >> advice is followed, contexts is unwanted complexity instead of something > >> good. If a private key is used for other purposes, contexts won't save > >> you -- DJB explained this on the CFRG list some time ago in a way that > >> convinced me. > >> > >> Thus, allow me to suggest that > >> > >> 1) The draft is modified to not use signature contexts. > >> > >> 2) The security consideration has a new paragraph that reads: > >> > >> A private key used for a DNSSEC zone MUST NOT be used for any other > >> purpose than for that zone. Otherwise cross-protocol or > >> cross-application attacks are possible. > >> > >> Perhaps this text is better suited in the Introduction section, but it > >> bears repeating in the security consideration anyway. > >> > >> /Simon > >> > >> ___ > >> Curdle mailing list > >> cur...@ietf.org > > > https://www.ietf.org/mailman/listinfo/curdle > > ___ > Curdle mailing list > cur...@ietf.org > https://www.ietf.org/mailman/listinfo/curdle > ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01
And now the examples section contains Ed448 examples as well generated using eddsa2.py from [CFRG-EDDSA] draft. I think now the draft is as good as it gets. Thanks all for providing guidance. O. -- Ondřej Surý -- Technical Fellow CZ.NIC, z.s.p.o.-- Laboratoře CZ.NIC Milesovska 5, 130 00 Praha 3, Czech Republic mailto:ondrej.s...@nic.czhttps://nic.cz/ - Original Message - > From: "Ondřej Surý"> To: "Simon Josefsson" > Cc: "Daniel Migault" , "curdle" > , "dnsop" > Sent: Friday, 4 November, 2016 11:45:14 > Subject: Re: [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01 > Simon, > > thanks for all the comments, I have now culled all the context usage from the > draft and the git version should be up to date and ready for -2 upload. > > Cheers, > Ondrej > > -- > Ondřej Surý -- Technical Fellow > > CZ.NIC, z.s.p.o.-- Laboratoře CZ.NIC > Milesovska 5, 130 00 Praha 3, Czech Republic > mailto:ondrej.s...@nic.czhttps://nic.cz/ > > > - Original Message - >> From: "Simon Josefsson" >> To: "Daniel Migault" >> Cc: "curdle" , "dnsop" >> Sent: Thursday, 3 November, 2016 22:01:38 >> Subject: Re: [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01 > >> Daniel Migault writes: >> >>> Hi, >>> >>> This message starts a Working Group Last Call (WGLC) for >>> draft-ietf-curdle-dnskey-eddsa-01. >>> >>> The version to be reviewed is >>> https://tools.ietf.org/html/draft-ietf-curdle-dnskey-eddsa-01 >> >> Hello again. Since my last review of -01, I have re-read the document >> again, and noticed the text regarding signature contexts. I believe the >> use of contexts is in general ill-advised, and its presence in the >> document highlights a need for a security consideration to address the >> problem that context attempts to mitigate but does not succeed with: >> don't re-use private keys for other purposes. If this best practice >> advice is followed, contexts is unwanted complexity instead of something >> good. If a private key is used for other purposes, contexts won't save >> you -- DJB explained this on the CFRG list some time ago in a way that >> convinced me. >> >> Thus, allow me to suggest that >> >> 1) The draft is modified to not use signature contexts. >> >> 2) The security consideration has a new paragraph that reads: >> >> A private key used for a DNSSEC zone MUST NOT be used for any other >> purpose than for that zone. Otherwise cross-protocol or >> cross-application attacks are possible. >> >> Perhaps this text is better suited in the Introduction section, but it >> bears repeating in the security consideration anyway. >> >> /Simon >> >> ___ >> Curdle mailing list >> cur...@ietf.org > > https://www.ietf.org/mailman/listinfo/curdle ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01
Simon, thanks for all the comments, I have now culled all the context usage from the draft and the git version should be up to date and ready for -2 upload. Cheers, Ondrej -- Ondřej Surý -- Technical Fellow CZ.NIC, z.s.p.o.-- Laboratoře CZ.NIC Milesovska 5, 130 00 Praha 3, Czech Republic mailto:ondrej.s...@nic.czhttps://nic.cz/ - Original Message - > From: "Simon Josefsson"> To: "Daniel Migault" > Cc: "curdle" , "dnsop" > Sent: Thursday, 3 November, 2016 22:01:38 > Subject: Re: [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01 > Daniel Migault writes: > >> Hi, >> >> This message starts a Working Group Last Call (WGLC) for >> draft-ietf-curdle-dnskey-eddsa-01. >> >> The version to be reviewed is >> https://tools.ietf.org/html/draft-ietf-curdle-dnskey-eddsa-01 > > Hello again. Since my last review of -01, I have re-read the document > again, and noticed the text regarding signature contexts. I believe the > use of contexts is in general ill-advised, and its presence in the > document highlights a need for a security consideration to address the > problem that context attempts to mitigate but does not succeed with: > don't re-use private keys for other purposes. If this best practice > advice is followed, contexts is unwanted complexity instead of something > good. If a private key is used for other purposes, contexts won't save > you -- DJB explained this on the CFRG list some time ago in a way that > convinced me. > > Thus, allow me to suggest that > > 1) The draft is modified to not use signature contexts. > > 2) The security consideration has a new paragraph that reads: > > A private key used for a DNSSEC zone MUST NOT be used for any other > purpose than for that zone. Otherwise cross-protocol or > cross-application attacks are possible. > > Perhaps this text is better suited in the Introduction section, but it > bears repeating in the security consideration anyway. > > /Simon > > ___ > Curdle mailing list > cur...@ietf.org > https://www.ietf.org/mailman/listinfo/curdle ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01
On 4 November 2016 at 09:11, Salz, Richwrote: > I think the issue about signature contexts first, and mainly, came up with > TLS which generates a variety of private key material based on shared secret > info, and the concern that those different keys could be used for > cross-protocol attacks. There are a lot of ways that keys (particularly those in certificates) might be used. Context strings reduce the chances that those keys are misused such that data from one context can be transplanted into another. Simon's proposal works better in this context. If only all keys were so single-minded. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01
This is also my understanding. but I might be wrong as well. Yours, Daniel On Thu, Nov 3, 2016 at 6:11 PM, Salz, Richwrote: > I think the issue about signature contexts first, and mainly, came up > with TLS which generates a variety of private key material based on shared > secret info, and the concern that those different keys could be used for > cross-protocol attacks. > > But I could be wrong. :) > > -- > Senior Architect, Akamai Technologies > Member, OpenSSL Dev Team > IM: richs...@jabber.at Twitter: RichSalz > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01
I think the issue about signature contexts first, and mainly, came up with TLS which generates a variety of private key material based on shared secret info, and the concern that those different keys could be used for cross-protocol attacks. But I could be wrong. :) -- Senior Architect, Akamai Technologies Member, OpenSSL Dev Team IM: richs...@jabber.at Twitter: RichSalz ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01
Dear all, I have incorporated the comments from Simon changing Security Considerations and removing the Section about Implementations. I have also clarified usage of context. The context label is used only for Ed448. I have also updated the example for Ed25519, but I would really appreciate if somebody could review the script used to generate the examples: https://gitlab.labs.nic.cz/labs/ietf/blob/master/dnskey.py The updated drafts can't be uploaded, but I uploaded the last version to our gitlab: XML: https://gitlab.labs.nic.cz/labs/ietf/raw/master/draft-ietf-curdle-dnskey-eddsa.xml TXT: https://gitlab.labs.nic.cz/labs/ietf/raw/master/draft-ietf-curdle-dnskey-eddsa.txt HTML: https://gitlab.labs.nic.cz/labs/ietf/raw/master/draft-ietf-curdle-dnskey-eddsa.html O. -- Ondřej Surý -- Technical Fellow CZ.NIC, z.s.p.o.-- Laboratoře CZ.NIC Milesovska 5, 130 00 Praha 3, Czech Republic mailto:ondrej.s...@nic.czhttps://nic.cz/ - Original Message - > From: "Daniel Migault"> To: "curdle" , "dnsop" > Sent: Thursday, 3 November, 2016 04:55:10 > Subject: [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01 > Hi, > > This message starts a Working Group Last Call ( WGLC ) for > draft-ietf-curdle-dnskey-eddsa-01. > > The version to be reviewed is [ > https://tools.ietf.org/html/draft-ietf-curdle-dnskey-eddsa-01 | > https://tools.ietf.org/html/draft-ietf-curdle-dnskey-eddsa-01 ] > > Please send your comments, questions, and edit proposals to the WG mail list > until November 16th, 2016. If you believe that the document is ready to be > submitted to the IESG for consideration as a Standards Track RFC please send a > short message stating this. > > Yours, > > Rich and Daniel > > > ___ > Curdle mailing list > cur...@ietf.org > https://www.ietf.org/mailman/listinfo/curdle ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] [Curdle] WGLC on draft-ietf-curdle-dnskey-eddsa-01
On 3 November 2016 at 14:55, Daniel Migaultwrote: > The version to be reviewed is > https://tools.ietf.org/html/draft-ietf-curdle-dnskey-eddsa-01 Does this use Ed25519 or Ed25519ctx? It describes a context string, which Ed25519 throws away. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop