On Wednesday, July 15, 2015 10:31:12 pm Tony Arcieri wrote: > Binary curves in particular are showing warning signs of potential future > security issues: > > https://eprint.iacr.org/2015/310.pdf > > I think even if we don't completely pare down the TLS curve portfolio to > the list I suggested, if nothing else I would like to see binary curves > removed.
As of today's draft version on GitHub [0], the only curves permitted in TLS 1.3+ are: secp256r1, secp384r1, secp521r1, & sect571r1 NIST naming [1] of these: P-256, P-384, P-521, & B-571 The other 571-bit is sect571k1 / K-571 (already cut). NIST notation [2] for these names: "P" denotes prime, "B" denotes binary, and "K" denotes Koblitz If there's sufficient evidence that binary curves are likely to be unsafe in the future, then I would certainly consider that to be an additional argument to cut sect571r1. Thus far, I haven't seen much of an argument to keep it. [0] https://tlswg.github.io/tls13-spec/#negotiated-groups [1] https://tools.ietf.org/html/rfc4492#appendix-A [2] http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf Side question: what is the meaning of the "r" in the naming convention we use? (e.g. secp521r1, & sect571r1 vs. sect571k1) Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
