Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1

Ilari Liusvaara <> Tue, 21 July 2015 17:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 041081A0065 for <>; Tue, 21 Jul 2015 10:20:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IZ9t5TRMGXgd for <>; Tue, 21 Jul 2015 10:20:37 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EAF901A1BCA for <>; Tue, 21 Jul 2015 10:20:14 -0700 (PDT)
Received: from LK-Perkele-VII ( []) by (Postfix) with ESMTP id E8773188770; Tue, 21 Jul 2015 20:20:11 +0300 (EEST)
Date: Tue, 21 Jul 2015 20:20:11 +0300
From: Ilari Liusvaara <>
To: Dave Garrett <>
Message-ID: <20150721172011.GA28095@LK-Perkele-VII>
References: <> <> <20150721144705.GA24492@LK-Perkele-VII> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <>
Archived-At: <>
Subject: Re: [TLS] (selection criteria for crypto primitives) Re: sect571r1
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Jul 2015 17:20:39 -0000

On Tue, Jul 21, 2015 at 11:30:15AM -0400, Dave Garrett wrote:
> On Tuesday, July 21, 2015 10:47:05 am Ilari Liusvaara wrote:
> > I thought that Brainpool curves weren't removed (even if those aren't
> > explicitly in), which are random prime curves.
> > 
> > Also, the security of binary curves seems quite questionable.
> Brainpool curves aren't in the TLS 1.3 draft, but they're not prohibited either.
> If there's no strong objection, I'd like to add them to the list, if
> just to document the current NamedGroup registry. I could add a
> recommendation to stick to standards track, for those worrying about them.

Related: There's the following draft: draft-iab-crypto-alg-agility
(currently in IETF LC) which contains the following:

3.4 National Cipher Suites

"The default server or
responder configuration SHOULD disable such algorithms; in this way,
explicit action by the system administrator is needed to enable them
where they are actually required."

While the thing is about cipher suites, it also goes for curves.

Also, Brainpool is much slower than the special prime stuff,
so I think the defaults should be high-performance where it is
not known to hurt security.

This could also be applied to some actual ciphersuite stuff, namely
ARIA and CAMELLIA (there doesn't seem to be any usable SEED ciphers).