[Ach] Proposal to Remove legacy TLS Ciphersuits Offered by Firefox
ianG
iang at iang.org
Sat Jan 4 12:34:23 CET 2014
On 2/01/14 20:09 PM, Julien Vehent wrote:
> I wish there was references to these "discussions".
The problem with any references to rationale is that it often goes into
arguable and unending discussions.
There's a certain value in being quite curt about the recommendation,
and readers can take it or leave it. Obviously, the recommendations can
be wrong, but they are valuable if they are mostly right and easy to
follow. And every name stakes their rep to it.
The document is already huge... which makes it hard to follow...
> My understanding of
> the state of
> the art of ECC is that P-256 is considered at least as secure as DH and
> RSA.
The general issue is all of the standardised EC curves are under a
cloud, in part because of the DUAL_EC saga, and in part because DJB &
Tanje Lange have heavily criticised the standard curves. Have a look at
their table at http://safecurves.cr.yp.to/ there's definitely a problem
with all prior work.
How much is this overdone? I don't think it is as important as the RC4
issue. We know RC4 can be cracked in some standard daily amounts, 16M
and beyond. We don't know that about ECC nor 3DES.
Coming back to public key choice, it is now an open question: Do we
recommend just RSA for now and wait until the new curves come on line?
Or stick with ECC as it is now available, because fears are overblown?
I don't know the answer to that one, but framing the question is often
half the battle.
iang
More information about the Ach
mailing list