> In other words, will another curve be allowed once it's added to NIST SP > 800-56A? For a (large) subset of the services, I believe this would allow Azure to enable X25519.
There would still remain services and environments where P384 is required (e.g., anywhere CNSA applies). This is a significant chunk for Azure, but perhaps less of an issue for some other operators. > Maybe faster: would the short-term problem be addressed if we can convince > NIST to announce that it will consider X25519 and X448 for a revision of SP > 800-56A, and doesn't intend to enforce conformance of cryptographic modules > with SP 800-56A until the revisions are done? This is a complicated compliance question. I'm not qualified to comment on this option. > Or are you saying that, independently of NIST's decisions, the services in > question are for some reason specifically requiring what's typically called > the "NIST curves", namely the fifteen NSA curves that NIST standardized? No, not saying this. There may be customers who prefer NIST curves, but I have no data showing that this is common. Cheers, Andrei -----Original Message----- From: D. J. Bernstein <d...@cr.yp.to> Sent: Wednesday, June 5, 2024 1:01 PM To: tls@ietf.org Subject: [EXTERNAL] [TLS]Re: Curve-popularity data? Andrei Popov writes: > I support this change, willing to implement it in the Windows TLS > stack. We have thousands of customers concerned about increased > latencies due to the enablement of TLS 1.3. The services they connect > to require NIST curves and HRR is required to get TLS clients to send > appropriate key shares. To clarify, when you say "require NIST curves", do you mean "require conformance with NIST SP 800-56A"? In other words, will another curve be allowed once it's added to NIST SP 800-56A? Maybe faster: would the short-term problem be addressed if we can convince NIST to announce that it will consider X25519 and X448 for a revision of SP 800-56A, and doesn't intend to enforce conformance of cryptographic modules with SP 800-56A until the revisions are done? Or are you saying that, independently of NIST's decisions, the services in question are for some reason specifically requiring what's typically called the "NIST curves", namely the fifteen NSA curves that NIST standardized? Or the subset of those that NIST hasn't deprecated yet? Thanks in advance for the clarification. ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
