Rene Struik schrieb am 16.07.2015 um 03:42: > Dear colleagues: > > It seems prudent to keep some diversity of the gene pool and not only have > curves defined over prime curves. Similarly, > one should perhaps have some diversity of gene pool criteria within the set > of recommend curves and not only include > special primes. Should some problem with a particular subclass show up over > time, one then at least has other classes > available. > > On a general note, I do not understand what is wrong with having a dictionary > of curves that is well-specified, but > whose members are not all widely used. To my knowledge, having a dictionary > does not force everyone to use every term in > this (mandatory vs. optional to implement vs. mandatory to use, etc.). > > If one follows the line of reasoning of some people on the mailing list > earlier today, doesn't this also call into > question Brainpool curves, or, e.g., the Misty cipher, etc.? Moreover, this > certainly calls into question why one would > have a whole set of new DLP groups (which certainly cannot be widely used > yet, since the ink to write the parameters > down is still wet). What about RSA-1024, etc.? >
I absolutely back up this position. Currently, the TLS 1.3 draft only permits curves over special primes. It has become quite clear in the discussions in CFRG and at the NIST ECC workshop that some parties (major hardware manufacturers, certification bodies) prefer curves over random primes. And as Rene has pointed out, allowing both would also give more agility w.r.t potential future attacks on certain sub-classes. Why can't the draft just specify the curves that are MTI but allow (at least some) alternative options, instead of putting all our eggs in one basket? Johannes _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
