On 27/05/2014 12:50, Ilari Liusvaara wrote: > Yes, there are special cases where you don't have to check, e.g, all of: > - Weierstrass.
I'm really not sure if non-Weierstrass is worth considering right now in a TLS-oriented document, given that only Weierstrass can be used with TLS currently. Also, it seems to me that it will be difficult, and maybe confusing* to come up with a single set of recommendations that applies uniformly to all forms of curves. So maybe even in the long term it's better to focus on reduced Weierstrass now, and expand the document with a distinct set of recommendations later for other kind of curves. Manuel. * For example, a lot of people seem to think that if you use a twist-secure curve, even with a protocol like TLS ECDH with uncompressed point format (and reduced Weierstrass) you don't need to validate the received point, which is plain wrong and dangerous. Twist security is only relevant (from a point validation perspective) for x-only schemes. So from a "pedagogic" perspective it's probably interesting to clearly distinguish between different kinds of curves/protocols. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
