On Sat, Dec 6, 2014 at 6:20 PM, Peter Saint-Andre - &yet <[email protected]> wrote: > Joe St. Sauver raised a concern about P-256: > > Also in 4.2.1, NIST P-256 (secp256r1) is called out for > interoperability purposes. I get the intent, but I have concerns > given the analysis reported near the bottom of > http://safecurves.cr.yp.to/ for that (and related) curves. > > The sense of the authors is that we don't know enough to move away from > P-256 at this time, and that if evidence emerges for a better candidate then > this recommendation could be modified in a BCP that replaces this document.
The problem is that there is no alternative with acceptable performance that fixes the issues, that is widely deployed. Even if we had a better alternative today, interop would still make P256 the easiest choice, and the tyranny of the install base continues. Of course, then one has to deal with updating all the software out there. > > Naturally, if WG participants have concerns and we can settle on a better > recommendation now, then the authors will incorporate the results of working > group consensus. Can we just get this draft out the door? Some of the issues being addressed are easily exploitable, recurring security issues. Sincerely, Watson Ladd > > Peter > > -- > Peter Saint-Andre > CTO @ &yet > https://andyet.com/ > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
