Gregorio Guidi <gre...@posteo.net> writes: > Having followed the standardization of tcpcrypt on the tpcinc mailing > list (as a passive observer), I wanted to check with you on a point > that was not heavily discussed as far as I can see: the choice of the > "mandatory to implement" (MTI) algorithms for key agreement. > > I explain my concern: tcpcrypt defines ECDHE-P256 and ECDHE-P521 as MTI > algorithms, however these are based on the NIST elliptic curves that - > while widely deployed and offering great security - have been subject to > some criticism in the last years. You have probably seen many times the > arguments raised against them. The following is a good summary:
You raise a reasonable question. There are a lot of trade-offs. On one hand, it would be nice to have a scheme with longer than 32-byte keys. But then it's probably easier to find a P521 ECDHE implementation to cram into the kernel than a curve448. Should we have Curve25519 and P521? But whatever library supports P521 probably also supports P256, so it's less work to do both of those. Also, the best reference for the two Edwards curves is an informational RFC, vs. IEEE and NIST standards for the other ones. One good thing is that MTI is almost irrelevant given the way the different public key algorithms have been assigned their own ENO TEP Identifiers. It's almost as if this document is defining four separate protocols that just happen to be able to share 99% of the code. But of course we need to encourage people to implement the same algorithms initially... David _______________________________________________ Tcpinc mailing list Tcpinc@ietf.org https://www.ietf.org/mailman/listinfo/tcpinc
