I'd like to start using EdDSA curves for customers (and push for HSM
support). This would be much easier if there weren't so many policies (that
pre-date development of the curves) preventing actual use of the tech. Any
thoughts on when/if the policy will change?
Jeremy
smime.p7s
On Wed, May 11, 2016 at 11:08 PM, Hubert Kario wrote:
> I haven't tested it, but I don't think that will stop NSS trusting RSA
> certificates signed by ECC CAs.
There are plenty of things that NSS will still do with ECC if you
disable ECC cipher suites. That's for sure. If
On Friday 06 May 2016 10:34:37 Zoogtfyz wrote:
> > the larger key size helps w.r.t. quantum computers.
>
> If quantum computers are currently on the level of breaking AES-128,
> then they are on the level of breaking any asymmetric cryptography
> (RSA, DHE or ECDHE key exchange) we are using -
s>
> > On Fri, Apr 29, 2016 at 3:44 PM, jonetsu <jone...@teksavvy.com>
wrote:
> >> Hello,
> >>
> >> Is there a run-time option to disable all and every uses of
> >> elliptical curves ?
> >>
> >> If not, is there a compile option ?
&
into account other than "strength".
Indeed, and those considerations might be application-specific, or
hardware-specific, which is why I think the above 2 ERs make sense to
implement.
When it comes to signature algorithms and curves, IMO, there should be
some runtime support for config
Brian Smith wrote:
> A lot of people have interpreted what I wrote as saying AES-256 is bad.
I was not really referring to what you wrote about AES-256. I was referring to
for example https://eprint.iacr.org/2009/374 . Even though those are related
key attacks (which should not be relevant to
On Fri, May 6, 2016 at 10:12 AM, Peter Bowen wrote:
> Is a reasonable path to implement
> https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-10 and
> treat ECDHE suites as being DHE using a Supported Group? This would
> avoid new cipher suite IDs and accomplish the
On Fri, May 6, 2016 at 9:33 AM, Brian Smith wrote:
> So, I don't think that dropping AES-256 is the right thing to do. Instead,
> the ECDHE-AES-256-GCM cipher suites should be added to Firefox. Note that
> they were just recently added to Google Chrome.
These are also
On Thu, May 5, 2016 at 4:33 PM, Brian Smith wrote:
> Zoogtfyz wrote:
>>
>> 3) DHE (not ECDHE) cipher suits are far too often implemented incorrectly,
>> most often with default common DH primes, DH parameter reuse, or generally
>> weak bitstrenght
uld be dropped
> 3) Ordering from strongest to weakest, as opposed to what it is today.
>
There are other considerations to take into account other than "strength",
as David Benjamin's proposal and my suggestion linked above show.
> Additionally, Firefox 45esr currently supports t
On 05/05/16 15:22, Zoogtfyz wrote:
> This is my recommendation for changes to the supported ciphersuits in
> Mozilla Firefox. I performed rigorous compatibility testing and
> everything works as advertized. I used Firefox telemetry data, SSL
> Pulse data, and my own tests to verify that *not a
to what it is today.
Additionally, Firefox 45esr currently supports these elliptic curves in this
ordering:
secp256r1, secp384r1, secp521r1
I recommend removing support for secp521r1 since it is not supported in the
wild, Chrome does not support it, and we should be moving away from secp curves
ozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_environment_variables
>
> On Fri, Apr 29, 2016 at 3:44 PM, jonetsu <jone...@teksavvy.com> wrote:
>
>> Hello,
>>
>> Is there a run-time option to disable all and every uses of elliptical
>> cur
Is there a run-time option to disable all and every uses of elliptical
> curves ?
>
> If not, is there a compile option ?
>
> Thanks.
>
>
>
>
> --
> View this message in context:
> http://mozilla.6506.n7.nabble.com/Disabling-all-uses-of-elliptical-curves-t
Hello,
Is there a run-time option to disable all and every uses of elliptical
curves ?
If not, is there a compile option ?
Thanks.
--
View this message in context:
http://mozilla.6506.n7.nabble.com/Disabling-all-uses-of-elliptical-curves-tp354147.html
Sent from the Mozilla - Cryptography
Is patch good?
This patch is only valid for key exchange (ECDH), while Rick's email is about
certificate signing (ECDSA). Curve25519, and probably other Bernstein's curves,
can't be used with ECDSA (EdDSA must be used, a different algo).
Rick, if you want to support other curves (Brainpool?), you
On Monday, June 9, 2014 4:27:56 PM UTC-7, Rick Andrews wrote:
AFAIK, Symantec and other CAs have added ECC roots to Mozilla's root store
using NIST curves. Are any other ECC curves supported by Mozilla, in case one
wanted to use a different curve? Is the list of supported algorithms and key
AFAIK, Symantec and other CAs have added ECC roots to Mozilla's root store
using NIST curves. If a CA wanted to add a root using a different curve, we
would need to know what other curves were supported by Mozilla. Is this info
published anywhere?
--
dev-tech-crypto mailing list
dev-tech
On 06/10/2014 09:47 AM, Kurt Roeckx wrote:
On Mon, Jun 09, 2014 at 04:27:56PM -0700, Rick Andrews wrote:
AFAIK, Symantec and other CAs have added ECC roots to Mozilla's root store
using NIST curves. Are any other ECC curves supported by Mozilla, in case
one wanted to use a different curve
Hi,
I'm using NSS 3.12.4 with NSPR 4.8 release. I want to generate keys and
certs with the basic supported ECC curves (nistp256, nistp384, nistp521)
included when NSS is compiled with the NSS_ENABLE_ECC flag. However, when
I try using certutil to generate certificates using the basic NIST
On 2009-11-19 10:17 PST, Kai Chan wrote:
I'm using NSS 3.12.4 with NSPR 4.8 release. I want to generate keys and
certs with the basic supported ECC curves (nistp256, nistp384, nistp521)
included when NSS is compiled with the NSS_ENABLE_ECC flag. However,
when I try using certutil
, Kai Chan wrote:
I'm using NSS 3.12.4 with NSPR 4.8 release. I want to generate keys and
certs with the basic supported ECC curves (nistp256, nistp384, nistp521)
included when NSS is compiled with the NSS_ENABLE_ECC flag. However,
when I try using certutil to generate certificates using
2009/11/19 Kai Chan nahc...@gmail.com:
Hi,
I'm using NSS 3.12.4 with NSPR 4.8 release. I want to generate keys and
certs with the basic supported ECC curves (nistp256, nistp384, nistp521)
included when NSS is compiled with the NSS_ENABLE_ECC flag. However, when
I try using certutil
with the basic supported ECC curves (nistp256, nistp384, nistp521)
included when NSS is compiled with the NSS_ENABLE_ECC flag. However,
when
I try using certutil to generate certificates using the basic NIST
curves, I
keep receiving the security library failure error. Is there something
in
NSS
On 2009-11-19 13:07 PST, Kai Chan wrote:
Ah, noobtastic...
A new word for my vocabulary! :)
Thank you for reminding me to check shared library dependencies.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Based on the LXR examples on the JSS test page I appear to be able to
generate Elliptic Curve Pairs. The examples show generation of keys of
various length. However, I would like to generate key pairs using the
standard curves recognized by NIST or included in Suite B. The Java
documentation
26 matches
Mail list logo