On Tue, Jul 17, 2018 at 8:04 AM Johannes Merkle <johannes.mer...@secunet.com> wrote:
> Crypto agility definitely has its value. There are not so many curves > supported by TLS 1.3, and all of them use primes > of a very special form. Of course, this is exactly what makes these curves > faster than the Brainpool curves, but from a > security perspective it might be advisable to have alternatives at hand > which have very different properties Between the NIST curves and Curve25519/Ed448 we have this already. > (and have not been generated by the NSA using seeds of obscure origin). > We've been through this before, e.g.: https://www.ietf.org/mail-archive/web/tls/current/msg10271.html https://bada55.cr.yp.to/brainpool.html ....the latter of which quotes you as saying the repeated digits in the "A" and "B" values used in Brainpool seed generation process were "unfortunate". There are no compelling practical reasons to continue to support the Brainpool curves. They are both redundant and obscure. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
