Well, I note that the text also says "or have had very little usage,"
-Ekr On Tue, Jul 17, 2018 at 7:57 AM, Dan Brown <danibr...@blackberry.com> wrote: > It's mainly due to CFRG's advice, isn't it? > Calling other curves potentially unsafe or inappropriate for general use > is a bit harsh and outside the scope of TLS, isn't it? > As to using a narrow or wide set of curves, there are reputable proposals > for the latter: > > ia.cr/2015/647 and ia.cr/2015/366 > > which may be too slow for TLS, or lacking in some other practicalities, > but it is hard to conclude it is riskier or less secure. > > If it's not too late then an editorial softening for the reason for the > set of allowed TLS curves makes sense. > > Best regards, > > Dan > > > Original Message > From: Hanno Böck > Sent: Tuesday, July 17, 2018 9:56 AM > To: tls@ietf.org > Subject: Re: [TLS] Why are the brainpool curves not allowed in TLS 1.3? > > > Hi, > > I think there's been a mentality change in the TLS community that > explains this. > Back when Brainpool curves were standardized there was a "more is > better" mentality when it came to algorithms. I.e. if an algorithm is > not broken it's good to have it in TLS. Particularly all kinds of > nationalized algs made it into TLS. > > There's a very strong reason against this: It creates complexity. More > opportunities for attacks, more fragmentation of the ecosystem. I > believe I speak for a lot of people here when I say that fewer > algorithms is better and having more algs "just because" is not a good > reason. With that in mind an algorithm doesn't have to be weak to be > removed from TLS. It's reason enough if it's rarely used and doesn't > have a significant advantage over alternatives. > > Brainpool curves were never widely used in mainstream deployments of TLS > (aka browsers). They have no significant advantage over the other > choices. They pretty much exist because Germany wanted to have their > homegrown crypto algorithm, too, meaning they exist for nationalistic > reasons, not technical ones. So deprecating them has the same reason we > don't have SEED or Camellia in TLS any more. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
