Re: xmlsec / ECDSA problem

2017-02-18 Thread Peter Bowen 
On Wed, Feb 15, 2017 at 9:22 AM, Gervase Markham  wrote:
> On 15/02/17 17:17, Martin Thomson wrote:
>> Sure.  Both NSS and Firefox support P-521.  We still accept TLS
>> handshakes that use it (for both key exchange and signing).  I believe
>> that it is also supported in webcrypto.
>>
>> I believe that Chrome doesn't support P-521 in TLS.  We tried to
>> follow them, but only briefly.
>
> Did things break when we disabled it?
>
> Do we know why Chrome decided not to support it? Two NIST curves is enough?

I don't have any knowledge of why Chrome decided to only support P-256
and P-384.

I do know that P-256 and P-384 were the only two curves included in
the US NSA's "Suite B" specification and that the NSA did offer an
Elliptic Curve Cryptography (ECC) Patent License Agreement (PLA)
[http://web.archive.org/web/20130308064650/http://www.nsa.gov/business/programs/quick_facts.shtml]
at no charge for certain products.

It is possible that an implementer of Elliptic Curve cryptography
might want have decided to only implement curves included
specifications that are presumably covered by no charge patent license
agreements.

Thanks,
Peter
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: xmlsec / ECDSA problem

2017-02-17 Thread Martin Thomson 
On Sat, Feb 18, 2017 at 8:59 AM, Jeremy Rowley
 wrote:
> It's still permitted in the policy.
>
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs
> /policy/#inclusion

Yes, well...  The policy says P-512, which doesn't actually exist.
The intent is clear though.  I've asked Kathleen to correct that.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

RE: xmlsec / ECDSA problem

2017-02-17 Thread Jeremy Rowley 
It's still permitted in the policy. 

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs
/policy/#inclusion

Section 8.

-Original Message-
From: dev-tech-crypto
[mailto:dev-tech-crypto-bounces+jeremy.rowley=digicert@lists.mozilla.org
] On Behalf Of Martin Thomson
Sent: Wednesday, February 15, 2017 5:06 PM
To: mozilla's crypto code discussion list
<dev-tech-crypto@lists.mozilla.org>
Cc: mozilla-dev-tech-crypto <mozilla-dev-tech-cry...@lists.mozilla.org>
Subject: Re: xmlsec / ECDSA problem

On Thu, Feb 16, 2017 at 4:22 AM, Gervase Markham <g...@mozilla.org> wrote:
> Did things break when we disabled it?

A few things.  It lasted less than a day in Nightly before we got multiple
bug reports.

> Do we know why Chrome decided not to support it? Two NIST curves is
enough?

That's my understanding.  P-521 isn't busted, it's just a little inefficient
and not enough stronger than P-384 (or X448) that it is worth keeping around
when faced with a working quantum computer.  That and the fact that more
options is more code to carry, more options to signal, and so forth.  I
think that's the reasoning.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


smime.p7s
Description: S/MIME cryptographic signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: xmlsec / ECDSA problem

2017-02-15 Thread Martin Thomson 
On Thu, Feb 16, 2017 at 4:22 AM, Gervase Markham  wrote:
> Did things break when we disabled it?

A few things.  It lasted less than a day in Nightly before we got
multiple bug reports.

> Do we know why Chrome decided not to support it? Two NIST curves is enough?

That's my understanding.  P-521 isn't busted, it's just a little
inefficient and not enough stronger than P-384 (or X448) that it is
worth keeping around when faced with a working quantum computer.  That
and the fact that more options is more code to carry, more options to
signal, and so forth.  I think that's the reasoning.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: xmlsec / ECDSA problem

2017-02-15 Thread Gervase Markham 
On 15/02/17 17:17, Martin Thomson wrote:
> Sure.  Both NSS and Firefox support P-521.  We still accept TLS
> handshakes that use it (for both key exchange and signing).  I believe
> that it is also supported in webcrypto.
> 
> I believe that Chrome doesn't support P-521 in TLS.  We tried to
> follow them, but only briefly.

Did things break when we disabled it?

Do we know why Chrome decided not to support it? Two NIST curves is enough?

Gerv
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: xmlsec / ECDSA problem

2017-02-15 Thread Martin Thomson 
On Thu, Feb 16, 2017 at 3:44 AM, Gervase Markham  wrote:
> There seemed to be some confusion recently in m.d.s.policy about whether
> NSS, and then Firefox, supported P-521 for server auth certs. Can
> someeone clear it up for me and tell me what the situation is? :-)

Sure.  Both NSS and Firefox support P-521.  We still accept TLS
handshakes that use it (for both key exchange and signing).  I believe
that it is also supported in webcrypto.

I believe that Chrome doesn't support P-521 in TLS.  We tried to
follow them, but only briefly.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: xmlsec / ECDSA problem

2017-02-15 Thread Martin Thomson 
On Wed, Feb 15, 2017 at 7:59 PM, Miklos Vajna  wrote:
> To avoid solving multiple problems at once, probably I'll go for an
> other ECDSA testcase first where the parameter is supported by NSS. :-)

The best supported curve is P-256 (i.e., secp256r1), but P-384
(secp384r1) and P-521 (secp521r1) are also well supported.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto