NIST cannot prohibit a curve, or an algorithm. But they may not approve it –
and for customers that require approved technology and algorithms, it would
prevent them from using anything that’s not explicitly approved.
--
V/R,
Uri
There are two ways to design a system. One is to make it so simple there are
obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
- C. A. R. Hoare
From: Richard Barnes <r...@ipv.sx>
Date: Wednesday, June 5, 2024 at 20:20
To: tls@ietf.org <tls@ietf.org>
Subject: [EXT] [TLS]Re: Is NIST actually prohibiting X25519?
As with the earlier thread, this message is off-topic for this list.
Regardless of what NIST does, the TLS protocol does and will support a variety
of curves. On Wed, Jun 5, 2024 at 20: 14 D. J. Bernstein <djb@ cr. yp. to>
wrote: Andrei
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside the Laboratory.
ZjQcmQRYFpfptBannerEnd
As with the earlier thread, this message is off-topic for this list.
Regardless of what NIST does, the TLS protocol does and will support a variety
of curves.
On Wed, Jun 5, 2024 at 20:14 D. J. Bernstein
<d...@cr.yp.to<mailto:d...@cr.yp.to>> wrote:
Andrei Popov writes:
> This is a complicated compliance question. I'm not qualified to
> comment on this option.
I think it's worth investigating, considering the following NIST quote:
Their associated key agreement schemes, X25519 and X448, will be
considered for inclusion in a subsequent revision to SP 800-56A. The
CMVP does not intend to enforce compliance with SP 800-56A until
these revisions are complete.
https://web.archive.org/web/20200810165057/https://csrc.nist.gov/projects/cryptographic-module-validation-program/notices<https://web.archive.org/web/20200810165057/https:/csrc.nist.gov/projects/cryptographic-module-validation-program/notices>
Does anyone have any documents showing that NIST has reneged on the
above announcement? Possibilities:
* Yes: then I'd appreciate a pointer so that concerned members of the
community can tell NIST what they think about this and, hopefully,
get NIST to change course.
* No: then the announcement and consistent handling of this by NIST
would be another reason for IETF to not be dragged down by the
current limitations of NIST SP 800-56A.
If nobody has ever tried asking NIST to approve an X25519 solution as
per the above announcement, surely that would be a useful experiment,
creating a path towards simplifying subsequent TLS WG discussions.
---D. J. Bernstein
_______________________________________________
TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
To unsubscribe send an email to tls-le...@ietf.org<mailto:tls-le...@ietf.org>
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
