Re: xmlsec / ECDSA problem
On Wed, Feb 15, 2017 at 9:22 AM, Gervase Markhamwrote: > On 15/02/17 17:17, Martin Thomson wrote: >> Sure. Both NSS and Firefox support P-521. We still accept TLS >> handshakes that use it (for both key exchange and signing). I believe >> that it is also supported in webcrypto. >> >> I believe that Chrome doesn't support P-521 in TLS. We tried to >> follow them, but only briefly. > > Did things break when we disabled it? > > Do we know why Chrome decided not to support it? Two NIST curves is enough? I don't have any knowledge of why Chrome decided to only support P-256 and P-384. I do know that P-256 and P-384 were the only two curves included in the US NSA's "Suite B" specification and that the NSA did offer an Elliptic Curve Cryptography (ECC) Patent License Agreement (PLA) [http://web.archive.org/web/20130308064650/http://www.nsa.gov/business/programs/quick_facts.shtml] at no charge for certain products. It is possible that an implementer of Elliptic Curve cryptography might want have decided to only implement curves included specifications that are presumably covered by no charge patent license agreements. Thanks, Peter -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: xmlsec / ECDSA problem
On Sat, Feb 18, 2017 at 8:59 AM, Jeremy Rowleywrote: > It's still permitted in the policy. > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs > /policy/#inclusion Yes, well... The policy says P-512, which doesn't actually exist. The intent is clear though. I've asked Kathleen to correct that. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: xmlsec / ECDSA problem
It's still permitted in the policy. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs /policy/#inclusion Section 8. -Original Message- From: dev-tech-crypto [mailto:dev-tech-crypto-bounces+jeremy.rowley=digicert@lists.mozilla.org ] On Behalf Of Martin Thomson Sent: Wednesday, February 15, 2017 5:06 PM To: mozilla's crypto code discussion list <dev-tech-crypto@lists.mozilla.org> Cc: mozilla-dev-tech-crypto <mozilla-dev-tech-cry...@lists.mozilla.org> Subject: Re: xmlsec / ECDSA problem On Thu, Feb 16, 2017 at 4:22 AM, Gervase Markham <g...@mozilla.org> wrote: > Did things break when we disabled it? A few things. It lasted less than a day in Nightly before we got multiple bug reports. > Do we know why Chrome decided not to support it? Two NIST curves is enough? That's my understanding. P-521 isn't busted, it's just a little inefficient and not enough stronger than P-384 (or X448) that it is worth keeping around when faced with a working quantum computer. That and the fact that more options is more code to carry, more options to signal, and so forth. I think that's the reasoning. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto smime.p7s Description: S/MIME cryptographic signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: xmlsec / ECDSA problem
On Thu, Feb 16, 2017 at 4:22 AM, Gervase Markhamwrote: > Did things break when we disabled it? A few things. It lasted less than a day in Nightly before we got multiple bug reports. > Do we know why Chrome decided not to support it? Two NIST curves is enough? That's my understanding. P-521 isn't busted, it's just a little inefficient and not enough stronger than P-384 (or X448) that it is worth keeping around when faced with a working quantum computer. That and the fact that more options is more code to carry, more options to signal, and so forth. I think that's the reasoning. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: xmlsec / ECDSA problem
On 15/02/17 17:17, Martin Thomson wrote: > Sure. Both NSS and Firefox support P-521. We still accept TLS > handshakes that use it (for both key exchange and signing). I believe > that it is also supported in webcrypto. > > I believe that Chrome doesn't support P-521 in TLS. We tried to > follow them, but only briefly. Did things break when we disabled it? Do we know why Chrome decided not to support it? Two NIST curves is enough? Gerv -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: xmlsec / ECDSA problem
On Thu, Feb 16, 2017 at 3:44 AM, Gervase Markhamwrote: > There seemed to be some confusion recently in m.d.s.policy about whether > NSS, and then Firefox, supported P-521 for server auth certs. Can > someeone clear it up for me and tell me what the situation is? :-) Sure. Both NSS and Firefox support P-521. We still accept TLS handshakes that use it (for both key exchange and signing). I believe that it is also supported in webcrypto. I believe that Chrome doesn't support P-521 in TLS. We tried to follow them, but only briefly. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: xmlsec / ECDSA problem
On Wed, Feb 15, 2017 at 7:59 PM, Miklos Vajnawrote: > To avoid solving multiple problems at once, probably I'll go for an > other ECDSA testcase first where the parameter is supported by NSS. :-) The best supported curve is P-256 (i.e., secp256r1), but P-384 (secp384r1) and P-521 (secp521r1) are also well supported. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto