It's mainly due to CFRG's advice, isn't it? Calling other curves potentially unsafe or inappropriate for general use is a bit harsh and outside the scope of TLS, isn't it? As to using a narrow or wide set of curves, there are reputable proposals for the latter:
ia.cr/2015/647 and ia.cr/2015/366 which may be too slow for TLS, or lacking in some other practicalities, but it is hard to conclude it is riskier or less secure. If it's not too late then an editorial softening for the reason for the set of allowed TLS curves makes sense. Best regards, Dan Original Message From: Hanno Böck Sent: Tuesday, July 17, 2018 9:56 AM To: tls@ietf.org Subject: Re: [TLS] Why are the brainpool curves not allowed in TLS 1.3? Hi, I think there's been a mentality change in the TLS community that explains this. Back when Brainpool curves were standardized there was a "more is better" mentality when it came to algorithms. I.e. if an algorithm is not broken it's good to have it in TLS. Particularly all kinds of nationalized algs made it into TLS. There's a very strong reason against this: It creates complexity. More opportunities for attacks, more fragmentation of the ecosystem. I believe I speak for a lot of people here when I say that fewer algorithms is better and having more algs "just because" is not a good reason. With that in mind an algorithm doesn't have to be weak to be removed from TLS. It's reason enough if it's rarely used and doesn't have a significant advantage over alternatives. Brainpool curves were never widely used in mainstream deployments of TLS (aka browsers). They have no significant advantage over the other choices. They pretty much exist because Germany wanted to have their homegrown crypto algorithm, too, meaning they exist for nationalistic reasons, not technical ones. So deprecating them has the same reason we don't have SEED or Camellia in TLS any more. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
