On 23/06/2014 11:38, Peter Gutmann wrote: > Watson Ladd <[email protected]> writes: > >> Clients don't validate DH parameters, and there is no list to check against, >> which needs to be fixed before we can recommend them. > > Given that the standard ECC alternative to DH that everyone uses is NSA- > provided curves [0], I don't think that's much more sensible...
I disagree. The NSA-provided curves may be weak(er) against some specific attackers, but bad DH parameters can be used by any malevolent server. Unless I'm mistaken, there are variants of the triple handshake attack that can use this fact, but can't work with ECDH. I'm not saying ECC with the NIST curves is superior to DH, just that given the current state of DH in TLS, the comparison does not seem obvious: each of them has its own set of issues. Manuel. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
