Manuel Pégourié-Gonnard wrote on 27.05.2014 13:18: > On 27/05/2014 12:50, Ilari Liusvaara wrote: >> Yes, there are special cases where you don't have to check, e.g, all of: >> - Weierstrass. > > I'm really not sure if non-Weierstrass is worth considering right now in a > TLS-oriented document, given that only Weierstrass can be used with TLS > currently. >
+1 > Also, it seems to me that it will be difficult, and maybe confusing* to come > up > with a single set of recommendations that applies uniformly to all forms of > curves. So maybe even in the long term it's better to focus on reduced > Weierstrass now, and expand the document with a distinct set of > recommendations > later for other kind of curves. +1 > > * For example, a lot of people seem to think that if you use a twist-secure > curve, even with a protocol like TLS ECDH with uncompressed point format (and > reduced Weierstrass) you don't need to validate the received point, which is > plain wrong and dangerous. Twist security is only relevant (from a point > validation perspective) for x-only schemes. So from a "pedagogic" perspective > it's probably interesting to clearly distinguish between different kinds of > curves/protocols. > +1 -- Johannes _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
