Re: [Curdle] Which curves are MUST and SHOULD ?

Ron Frederick <> Fri, 11 December 2020 03:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 86ACF3A141D for <>; Thu, 10 Dec 2020 19:37:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UROjP1OkX6DM for <>; Thu, 10 Dec 2020 19:37:28 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B69553A141E for <>; Thu, 10 Dec 2020 19:37:27 -0800 (PST)
Received: by with SMTP id iq13so1521309pjb.3 for <>; Thu, 10 Dec 2020 19:37:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mail; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZmxzN5dqFI89nO8EDNyYV0ylCbcvowu5hk/WGtl6Pwk=; b=gtU9sdySSoyCUO909IB104BLjrQaREsAajlTUtk5vanCN09W5g4Nbwg87bNZrVZaMa g0zyDjidAYSHxZ07xyPVKnSG0Tqv62YSXN8VAyPALynYFCey7dpPBxZ/+JHq/aDWWZqi loky7aJOne+K1ZwHoOEoZrgm1hAbVaGxZEBXs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZmxzN5dqFI89nO8EDNyYV0ylCbcvowu5hk/WGtl6Pwk=; b=sFoxrGNBwgdmWkj10D8MijlUWMX5MbSrSd6Zau++xrrsRBccLkWYFOXilq2Hjq4Okc sgyvk5vewFzLp4iUgTkKR+AOJ0baZVEd+ZSd/gdp7P4gYDIdEVZdc86R11ft2Ns/8MJV p4JwytkiV7dmBx8hvue8cp/JtCw3PXzyLDSIW+6BQf0qNyil/kHl5LWdJLWFe/aO10de DtvzE85iwI/++B5Ob228WzjrucYclZqqhdn1wUCNowEXWS3eWn+IxIqUCcYt/M4KKtLm WTP0sQ64PRsbrtD8lahynKMJ3s0k3koyuwyq+OSh32dPYyVPdmFYzaO8Zr7h+yf6U3AG SsGg==
X-Gm-Message-State: AOAM532sC+qPKZ7RV1EuY7GZosMO3HMSW7pcJHyfrJa02hwjczbEVZhr GVnS8bkd+CijSCQszTpudDnP4w==
X-Google-Smtp-Source: ABdhPJxw60qjkwWBTVkoHh2PyFrtgt7ngg/1koT6ctt+yCAj1xNloWW3tkUPOb+PqKNkyMi36nv0uQ==
X-Received: by 2002:a17:902:8508:b029:da:8f7e:f645 with SMTP id bj8-20020a1709028508b02900da8f7ef645mr9284995plb.30.1607657845619; Thu, 10 Dec 2020 19:37:25 -0800 (PST)
Received: from ([]) by with ESMTPSA id k16sm7925172pfi.131.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Dec 2020 19:37:25 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
From: Ron Frederick <>
In-Reply-To: <>
Date: Thu, 10 Dec 2020 19:37:22 -0800
Cc: Curdle Mailing List <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <>
To: "Mark D. Baushke" <>, Peter Gutmann <>, Rich Salz <>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <>
Subject: Re: [Curdle] Which curves are MUST and SHOULD ?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Dec 2020 03:37:31 -0000

On Dec 10, 2020, at 4:38 PM, Peter Gutmann <> wrote:
> Mark D. Baushke <> writes:
>> MAY diffie-hellman-group14-sha1
>> SHOULD NOT diffie-hellman-group-exchange-sha1
> Just wondering why the hardcoded group is MAY but the negotiated, and probably
> more secure, group is SHOULD NOT?  Is it because lots of legacy stuff will
> only do the hardcoded group?

I imagine the reasoning behind most of these being SHOULD NOT is due to the use of SHA-1. As for making an exception for group14-sha1, I think the intent there was that it was one of the most commonly implemented algorithms due to it being one of two REQUIRED algorithms in RFC 4253. This proposal drops it from being REQUIRED, but still allows it for interoperability with older implementations that didn’t add support for anything stronger.

I agree that diffie-hellman-group-exchange-sha1 could in theory be more secure than diffie-hellman-group14-sha1, but I think it makes more sense to encourage implementations to support diffie-hellman-group-exchange-sha256. It’s nearly as widely implemented as the SHA-1 version of group exchange, and much stronger.

Mark Baushke wrote:
> I am NOT certain about the nistp384 and nistp521. They are not
> consistent between the ecdh-sha2-nistp* and gss-nistp* forms.
> They most likely are best at SHOULD for all four of them.

SHOULD for all of these works for me.

Regarding the nistp curves vs. curve25519, I also have a personal bias toward curve25519, but I worry about it being much less widely implemented than the nistp curves. I’m not sure we’ve seen wide enough implementation to justify move curve25519-sha256 to be a “MUST”. Even if we include the older naming of “”, it’s still only about half as widely implemented as the ECDH/ECDSA nistp algorithms.

Unfortunately, this still leaves us with a question about how we get at least one MUST in the algorithm list.
Ron Frederick