On Fri, Oct 10, 2025 at 7:49 PM D. J. Bernstein <[email protected]> wrote:
> Yaroslav Rosomakho writes: > > BSI TR-02102-2 does not list X25519 as a recommended elliptic curve > > Does it list P-256 or P-384 as recommended elliptic curves? In > > > https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile&v=9 > > one finds Table B.3, "Recommended EC system parameters for asymmetric > schemes that are based on elliptic curves", listing only Brainpool > curves. Table C.1 makes an exception for Messaging Layer Security, but I > don't see a broader exception. > > In other words: if the TR-02102-2 recommendations are a reason not to > use X25519 in TLS, then they're also a reason not to use P-256 in TLS. > TR-02102-2 [1] is quite specific about recommended TLS 1.3 groups. In Table 9 of the section 3.4.2 it lists secp256r1, secp384r1, secp521r1, brainpoolP256rltls13, brainpoolP384rltls13, brainpoolP512rltls13, ffdhe3072 and ffdhe4096. FWIW, I don't think IETF "Recommended=Y" badge matters for those who believe they must blindly follow TR-02102-2 (or other regulations), but it would be great to keep specified hybrids with secp256r1 or secp384r1 classical part. Best Regards, Yaroslav [1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=8 -- This communication (including any attachments) is intended for the sole use of the intended recipient and may contain confidential, non-public, and/or privileged material. Use, distribution, or reproduction of this communication by unintended recipients is not authorized. If you received this communication in error, please immediately notify the sender and then delete all copies of this communication from your system.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
