Nick Sullivan <nicholas.sulli...@gmail.com> writes:
>the Elliptic Curve variant has recently been identified as troublesome as
>well (see recent JWE vulnerability
>https://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html
>
>and CVE-2017-8932).
Which sorta begs the question, why was it put in the standard (or at least an
addendum to the standard) in the first place? Misusing DH as if it was RSA
was a dumb idea [0] when it was made a part of S/MIME twenty years ago - the
entire S/MIME implementer community ignored the X9.42 MUST and kept on using
the RSA MAY as if it was the MUST, and PGP used it as Elgamal even if they
labelled it DH. Given that JWE quite sensibly specifies RSA-OAEP, why was
ECDH-ES also given as an option, and why would anyone then actually use it
rather than just ignoring it like X9.42?
Peter.
[0] I was going to say "bad idea" but it was so obviously wrong to pretty much
everyone involved that I've upgraded the epithet.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
