David Adrian writes: > I believe we were also discussing _certificates_ Yes, I quoted that from the outset:
P 256 is the most popular curve in the world besides the bitcoin curve. And I donât have head to head numbers, and the bitcoin curve is SEC P, but P 256 is most popular curve on the internet. So certificates, TLS, handshakes, all of that is like 70 plus percent negotiated with the P 256 curve. Immediately after quoting that, I wrote the following: "Last I heard, _certificates_ hadn't upgraded to allowing Ed25519 yet. My question is about the 'handshake' claim, and more broadly about the 'internet' and 'world' claims." > you decided to take the comment out of context No. The specific quote that I had been pointed to was shorter. I looked at quite a bit of text before and after that, and ended up giving the longer quote shown above. If you think that the puzzling aspects of what I quoted are explained by further context, please give a fuller quote and explain the relevance. In any event, please refrain from personal attacks. Thanks in advance. > and single out "the TLS co-chair" As I said, the statement is from one of the current TLS co-chairs, a month before the co-chair appointment. The position as co-chair adds to the importance of ensuring accurate information. > in a quote that begins with "I don't have the numbers". Let's look again at what I quoted: P 256 is the most popular curve in the world besides the bitcoin curve. And I donât have head to head numbers, and the bitcoin curve is SEC P, but P 256 is most popular curve on the internet. So certificates, TLS, handshakes, all of that is like 70 plus percent negotiated with the P 256 curve. The reader understands "I don't have head to head numbers" as referring to P-256 vs. the Bitcoin curve. That's not the part I'm asking about. Where does the "certificates, TLS, handshakes, all of that is like 70 plus percent negotiated with the P 256 curve" number come from? Where's the data showing that "P 256 is most popular curve on the internet", or "in the world besides the bitcoin curve"? > the utter irrelevance of current popularity of curves to the > introduction of a _new_ standard It's obviously not _the same_ question, but I don't agree with the extreme claim of "utter irrelevance". The original text also doesn't agree. It says that P-256 should be taken "seriously" for "new designs" because P-256 is "the most popular curve" (aside from maybe the Bitcoin curve): Should we still use 25519 for all new designs? Or should we take seriously at the idea of using the P curves again? ... I think we should take seriously because P 256 is the most popular curve in the world besides the bitcoin curve. And I donât have head to head numbers, and the bitcoin curve is SEC P, but P 256 is most popular curve on the internet. So certificates, TLS, handshakes, all of that is like 70 plus percent negotiated with the P 256 curve. People hearing that P-256 is the most popular curve on the Internet _presume_ that other curves don't have important advantages, and _worry_ that moving to another curve will incur tremendous startup costs. Are these guarantees? Of course not. Every solution that takes over because of its advantages has some initial time where it hasn't taken over; extrapolating from the initial unpopularity would be a mistake. But popularity measurements still give us _some_ sort of aggregate idea of what people care about. The picture is very different if the facts are instead that X25519 is the most popular curve in handshakes, and more broadly on the Internet. Readers hearing this become much less worried about the startup costs, and _presume_ that people actually do care about the advantages. Again: relationships, not guarantees. ---D. J. Bernstein
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
