[Servercert-wg] [cabfpub] Interest in Ed25519 and/or Ed448?

Thu Mar 26 12:40:01 MST 2020

On Thu, Mar 26, 2020 at 02:56:16PM -0400, Ryan Sleevi wrote:
> On Thu, Mar 26, 2020 at 1:40 PM Kurt Roeckx <kurt at roeckx.be> wrote:
> 
> > Ed25519 and Ed448 are not new. They exist now, have many
> > implementations. It does not require a huge amount of research
> > or effort to implement it. And it's a clear improvement over
> > the currently supported algorithms.
> >
> 
> Hi Kurt,
> 
> Of course they're new (to be permitted), or we wouldn't be having this
> discussion. And they're not a clear improvement over the currently
> supported algorithms, or else they'd be PQ. I realize we'll likely disagree
> on both of these points, but frankly, the incremental value these
> algorithms provide (assuming you don't believe I'm an NSA mole hired to
> shill for P-256) is not worth the significant effort involved.

You're saying it's "not a clear improvement", but at the same time
has an "incremental value".

I don't think it's up to the CAB Forum to decide if this provides
an improvement or not. I think we delegate that to other
organisations. But then we seem to ignore their recommendations.

> You've
> shifted the argument somewhat, in that it's ignoring the previous remarks
> pointing out the dependencies and challenges, so I doubt there's much more
> useful discussion to be had here. Switching to Ed25519/Ed448 for leaf
> certificates only doesn't achieve any of the necessary security
> improvements.

I guess the key word there is probably "necessary". Where you
think PQ is necessary. And I agree that we need it, but we just
currently don't have it. But that shouldn't stop us from improving.

> and switching for intermediates simply does not provide the
> necessary trust assurances regarding key generation and protection. This
> hasn't changed since that previous discussion in any meaningful sense

I have no idea what you mean here. Like I pointed out, there
are multiple HSMs available. And if the demand is there, there
will be others. The only thing I've read so far about this from
you seems to be FUD to me.

> > You're waiting for something that will probably take 10 years
> > before people think we're ready to switch to it. I consider that
> > 10 year to a realistic one estimate.
> 
> 
> I don't consider it a realistic estimate, because the substantive
> challenges to be addressed are issues to be solved now, in order to prepare
> for a shift.

That sentence just doesn't make any sense to me. Are you saying that
we need PQ now, so we're just going to select something now? How
soon is that now, and who will be selecting it?

Kurt