Hi Eric, We are aware that some working group members have a critical view of the Brainpool curves. Thus, we are not expecting working group consensus and standardization. We rather aim to register code points based on this I-D as a publicly available specification as required by IANA. Nevertheless, we appreciate constructive criticism.
Leonie -----Ursprüngliche Nachricht----- Von: Eric Rescorla [mailto:e...@rtfm.com] Gesendet: Sonntag, 2. September 2018 21:11 An: Bruckert, Leonie Cc: tls@ietf.org Betreff: Re: [TLS] WG: New Version Notification for draft-bruckert-brainpool-for-tls13-00.txt Rich version of this review at: https://mozphab-ietf.devsvcdev.mozaws.net/D12108 Leonie, Can you say more about your intended outcome here? You don't need to have an RFC in order to register these code points. Are you hoping for WG acceptance, or are you just planning to register on the basis of the I-D? -Ekr COMMENTS S 1. > Brainpool Curves in earlier TLS versions. > > The negotiation of ECC Brainpool Curves for key exchange according to > [RFC8446] requires the definition and assignment of additional > NamedGroup IDs. This document specifies such values for three curves > from [RFC5639]. I think you want to state that this works for TLS 1.2 as well. S 2. > brainpoolP384r1(TBD2), > brainpoolP512r1(TBD3) > } NamedGroup; > > The encoding of ECDHE parameters as defined in section 4.2.8.2 of > [RFC8446] also applies to this document. Which encoding? The structured encoding used for NIST curves or the blob one used for the CFRG curves. S 3. > > enum { > ecdsa_brainpoolP256r1_sha256(TBD4), > ecdsa_brainpoolP384r1_sha384(TBD5), > ecdsa_brainpoolP512r1_sha512(TBD6) > } SignatureScheme; Just for completeness, you should state what these mean. S 5. > y*Z^3) with the coefficient Z specified for that curve in [RFC5639], > in order to take advantage of an an efficient arithmetic based on the > twisted curve's special parameters (A = -3): although the twisted > curve itself offers the same level of security as the corresponding > random curve (through mathematical equivalence), an arithmetic based > on small curve parameters may be harder to protect against side- "an arithmetic" isn't really idiomatic English. S 6.2. > y_Z: the y-coordinate of the shared secret that results from > completion of the Diffie-Hellman computation > > The field elements x_qA, y_qA, x_qB, y_qB, x_Z, y_Z are represented > as hexadecimal values using the FieldElement-to-OctetString > conversion method specified in [SEC1]. Do you want to give test vectors for the key share. On Sun, Sep 2, 2018 at 6:30 AM, Bruckert, Leonie <leonie.bruck...@secunet.com> wrote: We submitted an Internet Draft defining the usage of the Brainpool Curves for TLS 1.3. We appreciate your comments. Leonie -----Ursprüngliche Nachricht----- Von: internet-dra...@ietf.org [mailto:internet-dra...@ietf.org <mailto:internet-dra...@ietf.org> ] Gesendet: Freitag, 31. August 2018 08:41 An: Merkle, Johannes; Manfred Lochter; Bruckert, Leonie Betreff: New Version Notification for draft-bruckert-brainpool-for-tls13-00.txt A new version of I-D, draft-bruckert-brainpool-for-tls13-00.txt has been successfully submitted by Leonie Bruckert and posted to the IETF repository. Name: draft-bruckert-brainpool-for-tls13 Revision: 00 Title: ECC Brainpool Curves for Transport Layer Security (TLS) Version 1.3 Document date: 2018-08-30 Group: Individual Submission Pages: 10 URL: https://www.ietf.org/internet-drafts/draft-bruckert-brainpool-for-tls13-00.txt <https://www.ietf.org/internet-drafts/draft-bruckert-brainpool-for-tls13-00.txt> Status: https://datatracker.ietf.org/doc/draft-bruckert-brainpool-for-tls13/ <https://datatracker.ietf.org/doc/draft-bruckert-brainpool-for-tls13/> Htmlized: https://tools.ietf.org/html/draft-bruckert-brainpool-for-tls13-00 <https://tools.ietf.org/html/draft-bruckert-brainpool-for-tls13-00> Htmlized: https://datatracker.ietf.org/doc/html/draft-bruckert-brainpool-for-tls13 <https://datatracker.ietf.org/doc/html/draft-bruckert-brainpool-for-tls13> Abstract: This document specifies the use of several ECC Brainpool curves for authentication and key exchange in the Transport Layer Security (TLS) protocol version 1.3. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls> _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
