On 08/10/2017 00:33, Gregorio Guidi wrote:
...
Having ECDHE-Curve25519 and ECDHE-Curve448 as MTI was suggested, but
the lack of implementations for Curve448 was mentioned. Unfortunately
this is still an issue: there are implementations available but no
stable and well-proved implementation of Curve448 is there yet, as
shown here:
https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves
Nonetheless, in the time passed since that exchange, the adoption of
Curve25519 has consolidated further, so the option to have
ECDHE-Curve25519 as the only MTI would not look so bad in my view.
+1. The notion that we need two MTIs with one longer than 256 bits in
an embedded optimistic half-measure needs some serious justification.
And the one that fits best in kernel, isolated from external libraries,
is likely best for attack surface. I'd put my money on Curve25519 every
day of the month for that.
iang
_______________________________________________
Tcpinc mailing list
Tcpinc@ietf.org
https://www.ietf.org/mailman/listinfo/tcpinc