On Aug 5, 2014, at 2:41 PM, Yaron Sheffer <[email protected]> wrote:
> The curve discussion in the draft is about ECDH. The consensus that I am > hearing (or heard, a few months ago) is that we want to move away from NIST > curves because people suspect SUNS - something up NIST's sleeve. I have not heard that from anyone. What I have heard is that, because NIST cannot show its work, we will never know if there was something up their sleeve. That's an important difference, but still has the same results. > And Brainpool seemed to offer the only standardized alternative, even though > it is not widely implemented. Since TLS allows to negotiate ECDH parameter, > the draft says: "Clients and servers SHOULD prefer verifiably random curves > (specifically Brainpool P-256, brainpoolp256r1 [RFC7027]), and fall back to > the commonly used NIST P-256 (secp256r1) curve [RFC4492]." Which, of course, has nothing to do with either "Best" or "Current". The Best Current Practice continues to be the NIST curves. The next likely Best Current Practice will be one of the curves recommended by the CFRG, and Brainpool is not on that list. --Paul Hoffman _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
