On Tuesday 22 March 2016 23:26:22 Dave Garrett wrote: > X25519, secp256r1, X448, one of ffdhe3072 or ffdhe4096, and then > lastly, ffdhe8192 and/or secp521r1 only as emergency backup > (arguably, X448 belongs back here too) > > I'd like to specify ffdhe2048 (~103-bit strength) as "MUST NOT" use > for TLS 1.3+ and only support it for transition in older TLS. (this > came up on-list a long while ago, but needs further discussion)
DHE gets prohibitive (computationally) rather quickly, and given that 1024 only /may/ have been broken, a "SHOULD NOT" for 2048 with "MUST use ephemeral key share" is IMHO more appropriate > I'd > state secp384r1 (...) as "NOT RECOMMENDED" to bother with, > but still permitted I'd say it is a tad bit too strong of a wording for the strongest curve supported by SChannel... -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
