On Tue, Jul 21, 2015 at 04:39:17PM +0200, Johannes Merkle wrote: > > I absolutely back up this position. Currently, the TLS 1.3 draft only permits > curves over special primes. It has become > quite clear in the discussions in CFRG and at the NIST ECC workshop that some > parties (major hardware manufacturers, > certification bodies) prefer curves over random primes. And as Rene has > pointed out, allowing both would also give more > agility w.r.t potential future attacks on certain sub-classes.
I thought that Brainpool curves weren't removed (even if those aren't explicitly in), which are random prime curves. Also, the security of binary curves seems quite questionable. And I would expect that if more curves croak, either relatively few curves croak (in style of MOV or SASS), or almost everything croaks. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
