https://tools.ietf.org/html/draft-ietf-curdle-pkix-03 needs to move forward first. It is currently in working group last call. https://tools.ietf.org/html/rfc8032 is now published, which replaces I-D.irtf-cfrg-eddsa, so that removes the last dangling reference from curdle-pkix.
We also need to sort out the HSM situation. I'll bet that we could lure some HSM vendors to meet with CAs at some upcoming industry event where we can express our interests to them :) On Wed, Feb 1, 2017 at 3:06 PM, Jeremy Rowley <jeremy.row...@digicert.com> wrote: > Works for me. Any idea on when Mozilla is planning to permit Curve22519 and > Curve448? I’d like to plan for that date. > > > > From: Richard Barnes [mailto:rbar...@mozilla.com] > Sent: Wednesday, February 1, 2017 4:04 PM > To: Jeremy Rowley <jeremy.row...@digicert.com> > Cc: Hanno Böck <ha...@hboeck.de>; r...@sleevi.com; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Other Curves > > > > Unfortunately, despite the Bitcoin community's enthusiasm, secp256k1 has very > bad side-channel properties: > > https://eprint.iacr.org/2014/161.pdf > https://bugzilla.mozilla.org/show_bug.cgi?id=1051509 > > Overall, I agree with Ryan that proliferation in this space is to be avoided. > I expect that the only real non-NIST algorithm we will expect to support in > the near term is EdDSA. > > --Richard > > > > > > On Wed, Feb 1, 2017 at 2:58 PM, Jeremy Rowley <jeremy.row...@digicert.com > <mailto:jeremy.row...@digicert.com> > wrote: > > I think I should mention that I suggested secp256k1 for blockchain reasons... > > -----Original Message----- > From: Hanno Böck [mailto:ha...@hboeck.de <mailto:ha...@hboeck.de> ] > Sent: Wednesday, February 1, 2017 3:52 PM > To: Jeremy Rowley <jeremy.row...@digicert.com > <mailto:jeremy.row...@digicert.com> > > Cc: r...@sleevi.com <mailto:r...@sleevi.com> ; > mozilla-dev-security-pol...@lists.mozilla.org > <mailto:mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Other Curves > > On Wed, 1 Feb 2017 22:38:54 +0000 > Jeremy Rowley <jeremy.row...@digicert.com <mailto:jeremy.row...@digicert.com> > > wrote: > >> Some of these curves are considered much better than the NIST curves >> (well, that’s what I’ve read anyway). > > Overall they have mostly the same weaknesses than the NIST curves. > There are differences in detail, but it really doesn't justify introducing a > lot of variety in the ecosystem. But I have a pretty good idea where that > hearsay comes from, and I'm pretty sure it has little to do with security. > > The modern curves like Curve25519 and Curve448 avoid many of the security > pitfalls of older curves. If you want more secure curves look at them and > push standards forward so they can be used within X.509. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de <mailto:ha...@hboeck.de> > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > <mailto:dev-security-policy@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
