Re: [TLS] Using Brainpool curves in TLS

mrex@sap.com (Martin Rex) Wed, 16 October 2013 02:52 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C968811E8220 for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 19:52:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.957
X-Spam-Level:
X-Spam-Status: No, score=-9.957 tagged_above=-999 required=5 tests=[AWL=0.292, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id scq-V94vEVhs for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 19:52:52 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 002CE21F9D30 for <tls@ietf.org>; Tue, 15 Oct 2013 19:52:49 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r9G2qgsl016328 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 16 Oct 2013 04:52:43 +0200 (MEST)
In-Reply-To: <CAK3OfOhDSeZChAyTUxGnvGWf4U2rV=GzJ=t_xJO_Gaycp=Rm8w@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Date: Wed, 16 Oct 2013 04:52:42 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131016025242.CDBAD1A9FF@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: Patrick Pelletier <code@funwithsoftware.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Using Brainpool curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2013 02:52:57 -0000

Nico Williams wrote:
> 
> > but it is trivial to introduce backdoors into implementations of them.
> 
> Do you mean that it's easier to backdoor implementations of specific
> EC curves than, say, RSA?  I would think that implementations of...
> just about anything can be backdoored with relative ease.

I assume that he might have meant what is also indicated on the
referenced Web Site http://safecurves.cr.yp.to/
that it is extremely difficult to implement ECC and _NOT_ hang yourself,

It would not surprise me at all if the vast majority of ECC
implementations would be found to be vulnerable to serious
weaknesses, when carefully analyzed, and that the problems found
in the RSA part would be *MUCH* smaller in comparison.

-Martin