Re: [TLS] sect571r1
Dan Brown <dbrown@certicom.com> Thu, 16 July 2015 01:42 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 129BD1B2CDB for <tls@ietfa.amsl.com>; Wed, 15 Jul 2015 18:42:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RM89_mhkHK0K for <tls@ietfa.amsl.com>; Wed, 15 Jul 2015 18:42:53 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 5CC661B2CD8 for <tls@ietf.org>; Wed, 15 Jul 2015 18:42:53 -0700 (PDT)
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs211cnc.rim.net with ESMTP/TLS/AES128-SHA; 15 Jul 2015 21:42:53 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT106CNC.rim.net ([fe80::d824:6c98:60dc:3918%16]) with mapi id 14.03.0210.002; Wed, 15 Jul 2015 21:42:52 -0400
From: Dan Brown <dbrown@certicom.com>
To: Martin Rex <mrex@sap.com>, Tony Arcieri <bascule@gmail.com>
Thread-Topic: [TLS] sect571r1
Thread-Index: AQHQv0IwQsvdAJpzLEuyOkTGR5u8jJ3dUfsAgAAHmICAACWHAP//09Vm
Date: Thu, 16 Jul 2015 01:42:51 +0000
Message-ID: <20150716014248.5333071.47478.4400@certicom.com>
References: <CAHOTMVJ+Rbvojqsa35ysLy8M1YwWEc2Qm7LDppQj7YKdpr0cfA@mail.gmail.com>, <20150716002056.8BD691A1E9@ld9781.wdf.sap.corp>
In-Reply-To: <20150716002056.8BD691A1E9@ld9781.wdf.sap.corp>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vh5WRUkz47Aj02ikO260t9ePmTg>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] sect571r1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2015 01:42:55 -0000
Binary curves have some risks, due to recent work of Semaev on subexponential ECDLP, building on much past work. Even so, there's an argument from Koblitz and Menezes that special curves (e.g. binary curves) may survive some wider collapse. I think it's a weak argument, but for those for whom supporting more curves is easy, it could justify supporting a diversity of curves. What about sect571k1, a Koblitz curve, aka NIST curve K-571? (By the way it has no unexplained constants...). Has it been removed already, or does the question also refer K-571 too? The issue of malicious curves seems off-topic to this thread about max curve size, so briefly, to respond to the issue of unexplained constants it is a difficult issue, which CFRG is working on, and NIST too. My thought here is Brainpool deals best with this issue, so far, but it is a far-fetched issue, and other security issues are at least as important. Original Message From: Martin Rex Sent: Wednesday, July 15, 2015 8:21 PM To: Tony Arcieri Reply To: mrex@sap.com Cc: <tls@ietf.org> Subject: Re: [TLS] sect571r1 Tony Arcieri wrote: [ Charset UTF-8 unsupported, converting... ] > Dave Garrett <davemgarrett@gmail.com> wrote: >> >> It's the most used of the rarely used curves. > > > I think all "rarely used curves" should be removed from TLS. Specifically, > I think it would make sense for TLS to adopt a curve portfolio like this: > > - CFRG curves (RECOMMENDED): Curve25519, Ed448-Goldilocks > - NIST curves (SUPPORTED): P-256, P-384, P-521 P-256 and P-384 seem to be pretty important to some folks (those with a NIST/NSA Suite B checklist). I'm OK with P-521, but I would prefer to get rid of pretty much all _other_ NIST curves with unexplained parameters, including 571 Either the NIST curves with unexplained constants _are_ backdoored, then you get screwed no matter which one of them you use. Or the NIST curves are OK, then P-521 will be good enough. IMO. -Martin Microsoft SChannel seems to implent the 3 NIST curves (P-256, P-384, P-521), and MSIE 10 exhibits a curious behaviour on my Win7 machine: when only TLSv1.0 is enabled, then MSIE 10 sends a ClientHello with P-521 as the first curve in the named_curve extension. when TLSv1.2 is also enabled, then MSIE 10 sends a ClientHello with P-256 as the first curve in the named_curve extension. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] sect571r1 Tony Arcieri
- [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Benjamin Beurdouche
- Re: [TLS] sect571r1 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] sect571r1 Yoav Nir
- Re: [TLS] sect571r1 Eric Rescorla
- Re: [TLS] sect571r1 Viktor Dukhovni
- Re: [TLS] sect571r1 Deirdre Connolly
- Re: [TLS] sect571r1 Adam Langley
- Re: [TLS] sect571r1 Tanja Lange
- Re: [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Dan Brown
- Re: [TLS] sect571r1 Tony Arcieri
- Re: [TLS] sect571r1 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Rob Stradling
- Re: [TLS] sect571r1 Rob Stradling
- Re: [TLS] sect571r1 Martin Thomson
- Re: [TLS] sect571r1 Brian Smith
- Re: [TLS] sect571r1 Tony Arcieri
- Re: [TLS] sect571r1 Eric Rescorla
- Re: [TLS] sect571r1 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] sect571r1 Martin Rex
- Re: [TLS] sect571r1 Tony Arcieri
- [TLS] (selection criteria for crypto primitives) … Rene Struik
- Re: [TLS] (selection criteria for crypto primitiv… Tony Arcieri
- Re: [TLS] sect571r1 Dan Brown
- Re: [TLS] (selection criteria for crypto primitiv… Jeffrey Walton
- Re: [TLS] (selection criteria for crypto primitiv… Tony Arcieri
- Re: [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Dave Garrett
- Re: [TLS] sect571r1 Jeffrey Walton
- Re: [TLS] sect571r1 Tony Arcieri
- Re: [TLS] sect571r1 Viktor Dukhovni
- Re: [TLS] sect571r1 Jeffrey Walton
- Re: [TLS] sect571r1 Jeffrey Walton
- Re: [TLS] sect571r1 Viktor Dukhovni
- Re: [TLS] (selection criteria for crypto primitiv… Dave Garrett
- Re: [TLS] sect571r1 Yoav Nir
- Re: [TLS] sect571r1 Salz, Rich
- Re: [TLS] (selection criteria for crypto primitiv… Viktor Dukhovni
- Re: [TLS] sect571r1 Tony Arcieri
- Re: [TLS] sect571r1 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] sect571r1 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] sect571r1 Hubert Kario
- Re: [TLS] (selection criteria for crypto primitiv… Johannes Merkle
- Re: [TLS] (selection criteria for crypto primitiv… Ilari Liusvaara
- Re: [TLS] (selection criteria for crypto primitiv… Dave Garrett
- Re: [TLS] (selection criteria for crypto primitiv… Ilari Liusvaara
- Re: [TLS] (selection criteria for crypto primitiv… Eric Rescorla
- Re: [TLS] sect571r1 Sean Turner