> CVSROOT: /cvs
> Module name: src
> Changes by: m...@cvs.openbsd.org 2014/05/01 05:29:18
>
> Modified files:
> lib/libssl/src/crypto/ec: ec_curve.c
> lib/libssl/src/crypto/objects: objects.txt
>
> Log message:
> Add support for the french ANSSI FRP256v1 elliptic curve.
>
> While not to be considered a good choice of elliptic curve (refer to
> http://safecurves.cr.yp.to/ for more details), it is nevertheless deemed a
> good decision to allow developers with requirements to use such a curve,
> to be able to do this via a crypto library allowing for much better choices
> to be made, without having to change (much of) their code to get better
> crypto.
>
> ok beck@ deraadt@
I'd like to take a moment to explain the idea behind this. Say an
application needs to use a bad-government cipher.
Would you prefer the application to be written like this:
if (in bad goverment cipher mode) {
hand roll special code that looks like EVP
to do this special mode;
} else {
do EVP operations for good ciphers
}
Now imagine that a typical application would likely have 20 blocks
of code like that. Error prone blocks.
It seems better to just push everyone towards one API, that gives them
great ciphers, and slightly not-so-great ciphers. The applications
become simpler.
That is a win. Any other choice comes with larger downsides. Over
time we can force applications to have support for the best and
greatest ciphers, by providing an API that supports all ciphers.
It comes at no cost.
