Tony Arcieri wrote: [ Charset UTF-8 unsupported, converting... ] > Dave Garrett <davemgarr...@gmail.com> wrote: >> >> It's the most used of the rarely used curves. > > > I think all "rarely used curves" should be removed from TLS. Specifically, > I think it would make sense for TLS to adopt a curve portfolio like this: > > - CFRG curves (RECOMMENDED): Curve25519, Ed448-Goldilocks > - NIST curves (SUPPORTED): P-256, P-384, P-521
P-256 and P-384 seem to be pretty important to some folks (those with a NIST/NSA Suite B checklist). I'm OK with P-521, but I would prefer to get rid of pretty much all _other_ NIST curves with unexplained parameters, including 571 Either the NIST curves with unexplained constants _are_ backdoored, then you get screwed no matter which one of them you use. Or the NIST curves are OK, then P-521 will be good enough. IMO. -Martin Microsoft SChannel seems to implent the 3 NIST curves (P-256, P-384, P-521), and MSIE 10 exhibits a curious behaviour on my Win7 machine: when only TLSv1.0 is enabled, then MSIE 10 sends a ClientHello with P-521 as the first curve in the named_curve extension. when TLSv1.2 is also enabled, then MSIE 10 sends a ClientHello with P-256 as the first curve in the named_curve extension. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
