bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

Hi! All things considered, I prefer to drop this patch. In the unlikely event that we’ll get more requests to support these curves, we can always revisit the issue. What we should do, though, is improve error reporting in case an unsupported curve or algorithm is encountered. Thanks, Ludo’.

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

Hi, On Wed, 07 Sep 2022 at 14:51, Ludovic Courtès wrote: > I’d like to see what other free software OpenPGP implementors decided > (primarily Sequoia; GnuPG/Libgcrypt implement them). Maybe related . Cheers, simon

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

Hi, Thanks a lot for the explanations, Andreas! As you write, the decision will be “political” as there’s no scientific evidence to guide us. I’d like to see what other free software OpenPGP implementors decided (primarily Sequoia; GnuPG/Libgcrypt implement them). Ludo’.

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

Am Wed, Sep 07, 2022 at 01:13:25PM +0200 schrieb Maxime Devos: > Also, we _do_ have concrete evidence that the curves are flawed -- the website > on the link mentions many issues in the process The website (you mean the blog by D. Bernstein?) also mentions the use of a hash function to arrive at

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

On 06-09-2022 22:02, Ludovic Courtès wrote: In case of those curves, I'm not aware of any 'crytopgraphic proof' (*) that the curves are vulnerable (unlike for SHA-1), but as noted in ¹ and elsewhere, there are other kinds of evidence that something is wrong. It’s different from SHA-1 though:

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

Hello, Am Tue, Sep 06, 2022 at 10:02:55PM +0200 schrieb Ludovic Courtès: > (Cc’ing Andreas for extra advice.) well, I agree with your analysis. There is no concrete evidence that the NIST curves may be flawed, and a general belief that not all crypto standards of NIST are flawed or backdoored...

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

Hi, (Cc’ing Andreas for extra advice.) Maxime Devos skribis: > We disallow signing with SHA-1, because it is known to be vulnerable > and as there are alternatives that are considered good, even if this > limits what users can do with their OpenPGP keys. Right, we know it’s affordable to

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

On 06-09-2022 13:58, Ludovic Courtès wrote: Hi, ECDSA and the NIST curves (and in fact a large part of NIST’s crypto standardization work¹) are actually considered with skepticism by some: https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Concerns That makes me

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

My opinion: Maybe NSA recommend NIST family because they know how to get around it. But they also have to believe foreign government can't break it easily. -- Retrieve my PGP public key: gpg --recv-keys 481F5EEEBA425ADC13247C76A6E672D981B8E744 Zihao

bug#57576: bug#57599: [PATCH] openpgp: Add support for ECDSA with NIST curves.

Hi, ECDSA and the NIST curves (and in fact a large part of NIST’s crypto standardization work¹) are actually considered with skepticism by some: https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Concerns That makes me wonder whether supporting them is a good idea,