I'm glad I have to opportunity to make you happy Sean :-) On Mon, July 11, 2016 7:40 am, Sean Turner wrote: > I think I can take this bit: > > On Jul 10, 2016, at 06:51, Peter Dettman <peter.dett...@bouncycastle.org> > wrote: >> >> I'm also curious whether there is a precedent in other RFCs for an >> explicit minimum curve bits, or perhaps a de facto implementer's rule? > > I'd be happy to be wrong here. but to my knowledge no there's not been > an explicit minimum for curve bits. There have however been similar (at > least in my non-cryptographer mind) for RSA key sizes so if we wanted to > define an explicit minimum curve bits then we could.
draft-ietf-tls-pwd-07 includes a RECOMMENDED practice of ensuring the curves used provide commensurate strength with the ciphersuite negotiated. Section 10, "Implementation Considerations", says: It is RECOMMENDED that implementations take note of the strength estimates of particular groups and to select a ciphersuite providing commensurate security with its hash and encryption algorithms. A ciphersuite whose encryption algorithm has a keylength less than the strength estimate, or whose hash algorithm has a blocksize that is less than twice the strength estimate SHOULD NOT be used. And I would like to take this opportunity to remind everyone that the only difference between TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 and TLS_ECCPWD_WITH_AES_128_GCM_SHA256 is that the latter is resistant to dictionary attack and the former is not. regards, Dan. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
