On Tue, Dec 24, 2013 at 03:00:37AM +1100, nanotek wrote:

> >We obviously don't know which is stronger against hypothetical
> >unpublished attacks, EDH at 2048-bits or the P-256 curve.  Feel
> >free to roll the dice.  Against publically known attacks P-256 is
> >both more secure and more computationally efficient than 2048-bit
> >EDH.
> 
> I think 384-bit ECDSA keys might be my choice then?

I don't have any interoperability information for NIST P-384 (i.e.
secp384r1).  Like its P-256 cousin it is part of Suite B, and thus
generally also supported by software that supports P-256, but it
likely not as widely used as P-256.  If there are any practical
unpublished attacks on P-256, one might guess they would be due to
the curve being "cooked" to be vulnerable.  In that case, it would
seem prudent to assume that P-384 is also suspect.  If you're
sufficiently paranoid, there is nothing you can trust.

I don't see any compelling reason to prefer P-384 over P-256, but
also know of no reasons to avoid it.  P-384 has higher CPU cost,
but this is generally tolerable in MTAs, since unlike web servers
the SMTP connection rate is generally well below CPU performance
limits.

-- 
        Viktor.

Reply via email to