* ECDSA
- is based on ECDLP (the security of RSA is based on
integer factring.)
- is implemented in OpenSSL 1.0.2, GnuTLS 3.3.5, NSS 3.15.1 and so on.
Same questions.
ECDSA is widely implemented as oftoday. There are some security issues
for implementers - I'm no ECC security expert so I can only refer to
this excellent article by Prof. Bernstein:
http://blog.cr.yp.to/20140323-ecdsa.html
ECDSA is not mentioned in the draft (except in passing while quoting
something else) for a good reason: ECDSA certificates barely exist. So I
don't think ECDSA is even remotely relevant for a BCP today.
The curve discussion in the draft is about ECDH. The consensus that I am
hearing (or heard, a few months ago) is that we want to move away from
NIST curves because people suspect SUNS - something up NIST's sleeve.
And Brainpool seemed to offer the only standardized alternative, even
though it is not widely implemented. Since TLS allows to negotiate ECDH
parameter, the draft says: "Clients and servers SHOULD prefer verifiably
random curves (specifically Brainpool P-256, brainpoolp256r1 [RFC7027]),
and fall back to the commonly used NIST P-256 (secp256r1) curve [RFC4492]."
Thanks,
Yaron
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
