Perhaps I might suggest "No earlier than an RFC defining how they're used in certificates is approved"? :)
Is there a reason you wouldn't just bring this up in the Forum? We (Google) would be happy to support a ballot - once the RFC has reached the consensus process - for allowing it for leaves. For intermediates/roots, the most recent Forum F2F spent a considerable amount of time discussing the challenges and preconditions towards allowing such a thing, and I'm sure there will be more discussion next month. On Wed, Feb 1, 2017 at 3:06 PM, Jeremy Rowley <jeremy.row...@digicert.com> wrote: > Works for me. Any idea on when Mozilla is planning to permit Curve22519 > and Curve448? I’d like to plan for that date. > > > > *From:* Richard Barnes [mailto:rbar...@mozilla.com] > *Sent:* Wednesday, February 1, 2017 4:04 PM > *To:* Jeremy Rowley <jeremy.row...@digicert.com> > *Cc:* Hanno Böck <ha...@hboeck.de>; r...@sleevi.com; > mozilla-dev-security-pol...@lists.mozilla.org > *Subject:* Re: Other Curves > > > > Unfortunately, despite the Bitcoin community's enthusiasm, secp256k1 has > very bad side-channel properties: > > https://eprint.iacr.org/2014/161.pdf > https://bugzilla.mozilla.org/show_bug.cgi?id=1051509 > > Overall, I agree with Ryan that proliferation in this space is to be > avoided. I expect that the only real non-NIST algorithm we will expect to > support in the near term is EdDSA. > > --Richard > > > > > > On Wed, Feb 1, 2017 at 2:58 PM, Jeremy Rowley <jeremy.row...@digicert.com> > wrote: > > I think I should mention that I suggested secp256k1 for blockchain > reasons... > > -----Original Message----- > From: Hanno Böck [mailto:ha...@hboeck.de] > Sent: Wednesday, February 1, 2017 3:52 PM > To: Jeremy Rowley <jeremy.row...@digicert.com> > Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Other Curves > > On Wed, 1 Feb 2017 22:38:54 +0000 > Jeremy Rowley <jeremy.row...@digicert.com> wrote: > > > Some of these curves are considered much better than the NIST curves > > (well, that’s what I’ve read anyway). > > Overall they have mostly the same weaknesses than the NIST curves. > There are differences in detail, but it really doesn't justify introducing > a lot of variety in the ecosystem. But I have a pretty good idea where that > hearsay comes from, and I'm pretty sure it has little to do with security. > > The modern curves like Curve25519 and Curve448 avoid many of the security > pitfalls of older curves. If you want more secure curves look at them and > push standards forward so they can be used within X.509. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy