On Apr 1, 2014, at 8:02 PM, Olafur Gudmundsson <o...@ogud.com> wrote:
> > On Apr 1, 2014, at 10:48 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > >> On Apr 1, 2014, at 7:37 PM, Olafur Gudmundsson <o...@ogud.com> wrote: >> >>> Why not go to a good ECC instead ? (not sure which one, but not P256 or >>> P384) >> >> Why not P256 or P384? They are the most-studied curves. Some of the newer >> curves do have advantages, but they are also newer. >> >> --Paul Hoffman > > > The verification performance is bad, P256 takes 24x times longer to verify a > signature than 2048 bit RSA key. > Studied != good performance I believe that there are no elliptic curves that get *much* better verification speeds that P256/P384. Some are a bit faster, but not even close to RSA2048. From your question "Why not go to a good ECC instead", I assumed you were caring about predictability against attacks and key length, which are the strengths of elliptic curve cryptography. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop