On Thursday 17 Apr 2014 19:43:25 Matti Nykyri wrote: > On Thu, Apr 17, 2014 at 04:49:45PM +0100, Mick wrote:
> > Can you please share how you create ECDHE_ECDSA with openssl ecparam, or > > ping a URL if that is more convenient? > > Select curve for ECDSA: > openssl ecparam -out ec_param.pem -name secp521r1 [snip ...] > I don't know much about the secp521r1 curve or about its security. [snip ...] It seems that many sites that use ECDHE with various CA signature algorithms (ECC as well as conventional symmetric) use the secp521r1 curve - aka P-256. I just checked and gmail/google accounts use it too. Markus showed secp384r1 (P-384) in his example. The thing is guys that both of these are shown as 'unsafe' in the http://safecurves.cr.yp.to tables and are of course specified by NIST and NSA. Thank you both for your replies. I need to read a bit more into all this before I settle on a curve. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.