Ben Personick <ben.person...@iongroup.com> wrote: > > (My apology for the long email, I did not have time to write a shorter one) > We are currently evaluating when to begin offering ECC Certificates > based cypto on our websites. > > Despite the advantages to doing this in TLS 1.2, there is a lot of > push-back to wait until we "have to support it" once the TLS 1.3 draft > is published, and the option to use it becomes available.
Honestly, why would you want to do this? ECC/RSA Dual Cert setups a cryptographically a bad idea, and a real nuisance for interoperability. Elliptic Curve Crypto, when used with the design-flawed ECDSA digital signature algorithm, might leak the private key within a few thousand TLS full handshakes to a mere passive observer. Support for EdDSA is somewhere between thin and non-existent still. And for programmatic TLS clients, which take security serious, and do not come with hundreds of public CA certificates preconfigured as trusted, a sudden change of the TLS server certificate when rearranging TLS cipher suites or when the underlying TLS implementation starts include support for ECDSA certificates, can easily result in a sudden unexpected loss of interop (missing trust). Testing that you have the required trust properly configured for *BOTH* TLS server certs is a royal pita, and _preparing_ for a TLS client software update that adds support for ECDSA cipher suites is pretty much impossible to test (unless you already have that implementation, but that is not what I meant with preparing). -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
