Hi Leif,
We cannot be silent about what EC group to use for ECDH, because ECDH is
kind of essential to our recommendations.
But I guess we jumped the gun by recommending Brainpool as the primary
curve. I would like to remove this recommendation, and retain the NIST
curve - which is all we have now. What do you think?
Thanks,
Yaron
On 08/07/2014 12:00 PM, Leif Johansson wrote:
And Brainpool seemed to offer the only standardized alternative, even though it is not
widely implemented. Since TLS allows to negotiate ECDH parameter, the draft says:
"Clients and servers SHOULD prefer verifiably random curves (specifically Brainpool
P-256, brainpoolp256r1 [RFC7027]), and fall back to the commonly used NIST P-256
(secp256r1) curve [RFC4492]."
Which, of course, has nothing to do with either "Best" or "Current". The Best
Current Practice continues to be the NIST curves. The next likely Best Current Practice will be one
of the curves recommended by the CFRG, and Brainpool is not on that list.
My personal opinion:
If CFRG came out with a recommendation and if TLS-wg adopted that
recommendation and if those curves were deployable using current
implementations of TLS, _then_ the UTA wg could talk about adopting
those curves as part of a BCP.
As chair:
It is ok for the BCP to be silent on some topics - there may simply
be no clear best current practice in all situations.
Better for us to rev the BCP as things become clear than to leave
the Internet community wo guidance for a long time. Perfect is the
enemy of the good.
Cheers Leif
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
