Hi, > There's a very strong reason against this: It creates complexity. More > opportunities for attacks, more fragmentation of the ecosystem. I > believe I speak for a lot of people here when I say that fewer > algorithms is better and having more algs "just because" is not a good > reason. With that in mind an algorithm doesn't have to be weak to be > removed from TLS. It's reason enough if it's rarely used and doesn't > have a significant advantage over alternatives.
Crypto agility definitely has its value. There are not so many curves supported by TLS 1.3, and all of them use primes of a very special form. Of course, this is exactly what makes these curves faster than the Brainpool curves, but from a security perspective it might be advisable to have alternatives at hand which have very different properties (and have not been generated by the NSA using seeds of obscure origin). In particular, as the code points had already been registered and have already been implemented in some products. Furthermore, the reasoning in the draft that these curves "should be assumed to be potentially unsafe" is completely wrong. Johannes _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
