On Wednesday, July 15, 2015 05:06:37 pm Tanja Lange wrote: > > The main reason I think this warrants discussion is that dropping it would > > drop the maximum bits here, which whilst obviously not the only factor to > > take into account, will possibly not be desired by some. The main arguments > > for ditching is probably that it might not be safely implemented and nobody > > actually needs something this big. > > Removing it would drop the max number of bits but not necessarily the > max security. The exact security of binary curves is currently under > discussion. The new algorithms offer at best an asymptotic speedup -- > but 571 might be big enough to fall under asymptotics. > > I understand that libraries support it, but is it actually being used? > Does anybody have statistics on how many sites use it?
It's the most used of the rarely used curves. https://securitypitfalls.wordpress.com/2015/07/14/june-2015-scan-results/ Server-side support is generally low, however a number of servers prefer to use it for ECDHE. (usage is in the same order of magnitude as P-384 & P-521, though notably less) This is down from the previous month's results but up from the month before. Server support is at a similar rate to other rarely used larger curves, but still a fraction of a percent. Nothing requires it, outright. It's important to note that the dropped range(s) of curves are listed as "MUST NOT" offer or negotiate for any TLS 1.3 implementation, though I haven't added any requirement to enforce that. Dropping it really does drop down the max size drastically, but the general CFRG consensus seems to be that nothing above curve448 is even helpful and secp521r1 would still be permitted for those that want bigger numbers. (given the CFRG opinion, even secp521r1 should be on the chopping block, then) Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
