Yoav Nir writes: > > So my take would be: > > > > DH group 2 1024-bit MODP MUST- -> MAY > > DH group 14 2048-bit MODP SHOULD+ -> MUST > > > > Not sure which elliptic curves to propose. The NIST groups 19-21 has > > the problem that there has been two complient ways to implement them > > and those two ways are not interoperable, thus they would be bad idea > > for mandatory to implement algorithm (i.e. they do not guarantee > > interoperability). > > Is that still an issue? I thought this was a bug some years ago that > everyone had fixed, no?
It was not really a bug. We defined ECP differently than everybody else in the RFC, and then there was errata made that completely changed the format (errata did not change the test vectors or examples). Some implementations implemented what was written in RFC, some implemented what was written in errata. Then when this was noticed, we fixed the RFC by writing a new one, but authors wanted to keep the old group numbers, which caused the problem that now we do not know whether implementation supports this new RFC, or the old RFC without errata. And those two versions do not interoperate. If we would be in perfect world where we would know that everybody uses latest versions of software, which implements latest version of rfcs, then we could ignore this. As there are still lot of people using IKEv1 which was obsoleted long ago, I assume there is still people out there using old version of ECP too. And of course there are people who are against NIST curves just in general... > > Brainpool curves are not that widely implemented, > > and the cfrg is now working on adding another groups. Perhaps we can > > add those new groups as SHOULD+ in the next iteration and leave this > > draft as MODP only for now. > > I don’t have a survey of implementations, but I think 19,20, and 21 > and more widely implemented than groups 15-18. So if somebody gets > uncomfortable with 2048 bits (see [1]) it’s better to recommend that > people move to an EC curve. I’d rather this be done with something > that’s well established rather than something that is in a -00 draft > submitted this month, but we should find out if interop works right > now. If people are already implementing 19-21 then there is no problem. We do not need to specify them as MUST or SHOULD or SHOULD+, and people can still use them if they feel like it. I think that when CFRG and IPsecME WG get Curve25519 etc work done, we are going to make that one as second mandatory to implement curve, i.e. then making group 19 as SHOULD- or something like that now, would not be that useful. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
