Conceptual feedback on new ECC JEP

Xuelei Fan xuelei.fan at oracle.com
Tue Sep 25 15:57:23 UTC 2018 

On 9/25/2018 8:34 AM, Adam Petcher wrote:
> On 9/25/2018 11:15 AM, Xuelei Fan wrote:
> 
>> I did not follow the discussion.  But it does not sound right to me to 
>> have an application to be provider dependent (#3).
> 
> There will be nothing provider-dependent in the TLS implementation. The 
> point of #3 is to say that we should test the TLS implementation to 
> ensure that it will work with either "EC" provider. The only required 
> changes to TLS code will be using PKCS8 private keys instead of 
> BigInteger private keys.
> 
I read it as there is no need to change TLS implementation, right?  The 
change from BigInteger private keys to PKCS8 private keys is for test 
only, right?  What if we don't change test code as well?  Can an 
existing application survive if it uses BigInteger private keys (okay, I 
this is a interop question)?

>>
>> I was not confident that a new provider instead of updating the 
>> existing provider is a good idea.  It might be a significant effort to 
>> update existing provider.  However, if we don't do that, the cost to 
>> use the new provider is not minimal.
>>
>> As we discussed previous, lacking interop could face significant 
>> issues and result in complicated coding in practice.  Thinking about 
>> SunPKCS11 and SunMSCAPI provider, and how many trouble we have had for 
>> them, and how many workaround we have patched for them.
>>
>> Unless it is not possible to have an interop-able implementation, I 
>> would suggest take more time to have an interop-able design and impl.
>>
>> Is it possible to have an interop-able impl?  If it is possible, how 
>> much effort will it take?
> 
> Yes, it is possible, at the expense of some assurance related to 
> security against side-channel attacks.
We may not want to have an impl to expose to side-channel attacks.

Okay, let me ask the question in another way.  Is it possible to have an 
interop-able impl without losing the quality of the new formula 
(side-channel attacks, etc)?   How much effort will it take to make it 
possible (please consider even we have to update the BigInteger APIs as 
well)?

Sorry for so much question, I did not take enough time for the new 
formula.  So I depend on the questions to you so that I can have a 
better feel of the design.

Thanks,
Xuelei

> This interoperable implementation 
> will be available by default in SunEC. A higher-assurance form of the 
> same implementation will be available in the new provider. The 
> additional effort required to put this implementation in both providers 
> is expected to be relatively small.

More information about the security-dev mailing list