[Servercert-wg] [cabfpub] Interest in Ed25519 and/or Ed448?

Kurt Roeckx kurt at roeckx.be
Thu Mar 26 13:50:41 MST 2020


On Thu, Mar 26, 2020 at 03:49:55PM -0400, Ryan Sleevi wrote:
> 
> If the belief is that Ed25519/Ed448 is strictly better than RSA or
> P-256/P-384, from a security perspective, then that security value is only
> achieved if and only if the entire chain is at that level. If you're having
> to mix algorithms, your effective security strength of the chain is only as
> strong as your weakest link, and partial transitions don't achieve the
> necessary strength. That's no different from mixing SHA-1 and SHA-256.

This is not completly correct. The attacks you can do against a CA
key are not the same as the ones you can do to a key that's on a
server.

And you can have CA keys that provide the same security strength
as an Ed25519 or Ed488 key.

> So unless you can have the whole chain, it's a bold claim to assert it's a
> security benefit. And it's been pointed out, in the previous discussions,
> why getting the full chain is challenging.

I've read you say "in the previous discussions" many times, but
either I can't find the discussion, or that discussion lacks
details or has become irrelevant. Please provide some actual
details.

> > > and switching for intermediates simply does not provide the
> > > necessary trust assurances regarding key generation and protection. This
> > > hasn't changed since that previous discussion in any meaningful sense
> >
> > I have no idea what you mean here. Like I pointed out, there
> > are multiple HSMs available.
> 
> 
> And as has been pointed out in the past discussions, it's not simply a
> matter of "multiple HSMs available". This is reflected in the minutes I
> shared with you previously. Consider, for example,
> https://smartfacts.cr.yp.to/analysis.html

Clearly HSMs can't be trusted, we should stop using all HSMs.

> Or consider discussions about
> key zeroization, which is often skipped in non-FIPS modes because of
> performance. You're assuming the necessary definition was "in an HSM", but
> that's not and never been the goal here.

There are HSMs available that support Ed25519 and Ed488 that
meet FIPS 140-2 level 4.

FIPS 186-5 and SP 800-186 haven't been published yet, but public
comment on it has been closed. So you currently can't use it in
"FIPS mode" yet, but can soon. But the BRs don't require you to run
in FIPS mode, just that the HSM meets the requirements of FIPS 140 level
3. It's only about the security guarantees the HSM provides, not
what the US government says are the allowed algorithms.


Kurt



More information about the Servercert-wg mailing list