D. J. Bernstein wrote: >Again, I understand that certificates haven't upgraded t allowing Ed25519 yet;
The WebPKI forbids EdDSA and my understanding is that TLS library support is lacking [1], but otherwise I don't think there are any problems with using EdDSA certificates [2] in general. Ericsson is planning to start using EdDSA+PQC hybrids soon. For new systems I think X25519, EdDSA, and SHAKE are superior to P-256, ECDSA, and SHA-2. For existing systems it does not make much sense to update, especially as most systems need to move to PQC signatures soon. [1] https://github.com/netty/netty/issues/10916 [2] https://datatracker.ietf.org/doc/html/rfc8410 Loganaden Velvindron wrote: >My personal view is that it's important to have at least one "independent" >curve like X25519 I am very positive to using X25519 as I think it has better properties than P-256. I am strongly against the idea that TLS needs an "independent" curve. I think the idea that P-256 is backdoored is conspiracy theory nonsense. I really like Filippo Valsorda’s challenge to recover the seeds. I think NSA should take on the challenge and give the bounty to charity. They have the capability to win and they should have an interest in increasing trust in the P-curves. https://words.filippo.io/dispatches/seeds-bounty/ Cheers, John Preuß Mattsson
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
