>> And Brainpool seemed to offer the only standardized alternative, even though
>> it is not widely implemented. Since TLS allows to negotiate ECDH parameter,
>> the draft says: "Clients and servers SHOULD prefer verifiably random curves
>> (specifically Brainpool P-256, brainpoolp256r1 [RFC7027]), and fall back to
>> the commonly used NIST P-256 (secp256r1) curve [RFC4492]."
>
> Which, of course, has nothing to do with either "Best" or "Current". The Best
> Current Practice continues to be the NIST curves. The next likely Best
> Current Practice will be one of the curves recommended by the CFRG, and
> Brainpool is not on that list.
My personal opinion:
If CFRG came out with a recommendation and if TLS-wg adopted that
recommendation and if those curves were deployable using current
implementations of TLS, _then_ the UTA wg could talk about adopting
those curves as part of a BCP.
As chair:
It is ok for the BCP to be silent on some topics - there may simply
be no clear best current practice in all situations.
Better for us to rev the BCP as things become clear than to leave
the Internet community wo guidance for a long time. Perfect is the
enemy of the good.
Cheers Leif
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
