Hi Yaron,
[snipped]
> Do you want to say anything about EdDSA and the kerfuffle going on in
cfrg@ mailing list right now? No is a
> good, and probably sane, answer.
>
> No. We discussed it briefly and although we added 25519 for the ECDH key
exchange, we are not
> recommending (or even discussing) the use of EdDSA for signatures or
certs. So there's nowhere to even
> include such a comment.
The discussion in CFRG was not about EdDSA specifically, but about fault
attacks on other deterministic signature
schemes, including deterministic ECDSA. The draft currently recommends
using deterministic ECDSA (as specified in RFC6979)
over the classic one, so we seem to explicitly recommend what
cryptographers express concerns of.
On the other hand, it seems to me that "fault attacks" are outside
Dolev-Yao model, so I'm not sure
how relevant their concerns are in the context of the draft.
Regards,
Valery.
Hi Valery,
You are right about det-ECDSA and this is a very good question. IMO some
side-channel attacks are relevant to the generic Internet model and some are
not (even if all of them are outside the Dolev-Yao model). Timing oracle
attacks can be initiated remotely and therefore are addressed by mechanisms
that we recommend in RFC 7525. OTOH fault attacks have much more limited
applicability and so we don't discuss them.
Thanks,
Yaron
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
