Re: xmlsec / ECDSA problem

2017-02-15 Thread Martin Thomson 
On Thu, Feb 16, 2017 at 4:22 AM, Gervase Markham  wrote:
> Did things break when we disabled it?

A few things.  It lasted less than a day in Nightly before we got
multiple bug reports.

> Do we know why Chrome decided not to support it? Two NIST curves is enough?

That's my understanding.  P-521 isn't busted, it's just a little
inefficient and not enough stronger than P-384 (or X448) that it is
worth keeping around when faced with a working quantum computer.  That
and the fact that more options is more code to carry, more options to
signal, and so forth.  I think that's the reasoning.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: xmlsec / ECDSA problem

2017-02-15 Thread Gervase Markham 
On 15/02/17 17:17, Martin Thomson wrote:
> Sure.  Both NSS and Firefox support P-521.  We still accept TLS
> handshakes that use it (for both key exchange and signing).  I believe
> that it is also supported in webcrypto.
> 
> I believe that Chrome doesn't support P-521 in TLS.  We tried to
> follow them, but only briefly.

Did things break when we disabled it?

Do we know why Chrome decided not to support it? Two NIST curves is enough?

Gerv
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: xmlsec / ECDSA problem

2017-02-15 Thread Martin Thomson 
On Thu, Feb 16, 2017 at 3:44 AM, Gervase Markham  wrote:
> There seemed to be some confusion recently in m.d.s.policy about whether
> NSS, and then Firefox, supported P-521 for server auth certs. Can
> someeone clear it up for me and tell me what the situation is? :-)

Sure.  Both NSS and Firefox support P-521.  We still accept TLS
handshakes that use it (for both key exchange and signing).  I believe
that it is also supported in webcrypto.

I believe that Chrome doesn't support P-521 in TLS.  We tried to
follow them, but only briefly.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: xmlsec / ECDSA problem

2017-02-15 Thread Martin Thomson 
On Wed, Feb 15, 2017 at 7:59 PM, Miklos Vajna  wrote:
> To avoid solving multiple problems at once, probably I'll go for an
> other ECDSA testcase first where the parameter is supported by NSS. :-)

The best supported curve is P-256 (i.e., secp256r1), but P-384
(secp384r1) and P-521 (secp521r1) are also well supported.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto