Hi, As I’m working on this area recently, I will see if I can contribute. But it may be no easier than JDK 21. If you don’t mind, I may ask for more requirement details later and help for testing.
Thanks, Xuelei > On Nov 15, 2022, at 11:23 PM, <benjamin.marw...@f-i.de> > <benjamin.marw...@f-i.de> wrote: > > Hi Xuelei and Sean, > > We use/see mostly brainpoolP512r1. But it is not just us! > >> , although I will note that the IANA registry >> still lists them as not recommended for TLS [1]. > > I agree that brainpoolP512r1 are not particularly interesting when it comes > to TLS, > but we still see server certificates (not the TLS algo) created with > brainpoolP512r1, as well as keystores. > Not being able to connect due to certificate validation errors OR > not being able to read a (somewhat) recently created keystore was > astonishing, to say the least. > >> And with >> recently added support for EdDSA and the future with PQC, it's not >> likely we will circle back to them. > > This is not about which algorithm is "better" or "can be replaced". > It is only about "what should (still) be supported, because NIST and BSI > still list them". > >> We are ok with a contribution, > > In my opinion, this is a major breaking change for this reason and should not > wait for contributions. > > - Ben > > > On 15.11.22, 15:35, "security-dev on behalf of Sean Mullan" > <security-dev-r...@openjdk.org on behalf of sean.mul...@oracle.com> wrote: > > Hi, > > Thanks for your questions about brainpool. See below for more details. > > On 11/14/22 3:36 AM, benjamin.marw...@f-i.de wrote: >> Hello everyone! >> >> To our surprise, brainpool EC have been deprecated with Java 14+ [1]. >> However, JDK-8234924 [1] does not add any information on WHY they would have >> been deprecated. >> In fact, neither NIST (USA) nor BSI (Germany) list them as deprecated. >> On the contrary, both institutions list them as an acceptable cipher. >> >> As a matter of fact, the deprecation notice seem to have originated by bad >> wording. >> Please read this quote from Manfred Lochter, how works at the BSI: >> >>> The unfortunate wording about the brainpool curves originated in TLS 1.3, >>> however RFC 8734 makes the curves usable for TLS again. >>> We will continue to recommend the Brainpool curves. >>> It should also be noted that the arguments for the "modern formulas" have >>> all been refuted by now. >>> Especially the implementation of Curve 25519 requires more effort to >>> protect against SCA; >>> the deterministic signatures are vulnerable to fault injection. >>> In the medium term, however, the switch to post-quantum cryptography is >>> necessary; >>> there are comprehensive recommendations on this at [2] >> >> Now, european banking and health industry still do rely heavily on brainpool >> curves. >> Given all these facts, I hereby request to undo the depracation of brainpool >> EC in OpenJDK. >> >> Please let me know what lead to the assumption that brainpool ciphers were >> deprecated. >> Neither NIST nor BSI seems to be the source. Given all the facts, it should >> still be included. > > The word "deprecated" may have been the wrong word to use when referring > to the brainpool curves, although I will note that the IANA registry > still lists them as not recommended for TLS [1]. > > We don't have any issues with the brainpool curves as we do for > some of the other legacy curves. But, these curves were implemented in > native C code and we changed the structure of the JDK EC implementation > such that all curves that were implemented in C were removed. The > remaining curves that we do support are implemented in Java and use > modern techniques and complete formulas. > > It has not been a priority for us to re-implement brainpool. And with > recently added support for EdDSA and the future with PQC, it's not > likely we will circle back to them. > > We are ok with a contribution, but they would need to be done using > the current design structure and using complete formulas. > > --Sean > > [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml > >> >> References: >> >> [1]: https://bugs.openjdk.org/browse/JDK-8234924 >> [2]: >> https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-Post-Quanten-Kryptografie/quantentechnologien-und-post-quanten-kryptografie_node.html >> >> Mit freundlichen Grüßen >> >> Benjamin Marwell >>
