On 2/01/14 20:09 PM, Julien Vehent wrote:
I wish there was references to these "discussions".
The problem with any references to rationale is that it often goes into arguable and unending discussions.
There's a certain value in being quite curt about the recommendation, and readers can take it or leave it. Obviously, the recommendations can be wrong, but they are valuable if they are mostly right and easy to follow. And every name stakes their rep to it.
The document is already huge... which makes it hard to follow...
My understanding of the state of the art of ECC is that P-256 is considered at least as secure as DH and RSA.
The general issue is all of the standardised EC curves are under a cloud, in part because of the DUAL_EC saga, and in part because DJB & Tanje Lange have heavily criticised the standard curves. Have a look at their table at http://safecurves.cr.yp.to/ there's definitely a problem with all prior work.
How much is this overdone? I don't think it is as important as the RC4 issue. We know RC4 can be cracked in some standard daily amounts, 16M and beyond. We don't know that about ECC nor 3DES.
Coming back to public key choice, it is now an open question: Do we recommend just RSA for now and wait until the new curves come on line? Or stick with ECC as it is now available, because fears are overblown? I don't know the answer to that one, but framing the question is often half the battle.
iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
