[Ach] Proposal to Remove legacy TLS Ciphersuits Offered by Firefox

ianG iang at iang.org
Sat Jan 4 12:34:23 CET 2014

On 2/01/14 20:09 PM, Julien Vehent wrote:

> I wish there was references to these "discussions".

The problem with any references to rationale is that it often goes into 
arguable and unending discussions.

There's a certain value in being quite curt about the recommendation, 
and readers can take it or leave it.  Obviously, the recommendations can 
be wrong, but they are valuable if they are mostly right and easy to 
follow.  And every name stakes their rep to it.

The document is already huge... which makes it hard to follow...

> My understanding of
> the state of
> the art of ECC is that P-256 is considered at least as secure as DH and
> RSA.

The general issue is all of the standardised EC curves are under a 
cloud, in part because of the DUAL_EC saga, and in part because DJB & 
Tanje Lange have heavily criticised the standard curves.  Have a look at 
their table at http://safecurves.cr.yp.to/ there's definitely a problem 
with all prior work.

How much is this overdone?  I don't think it is as important as the RC4 
issue.  We know RC4 can be cracked in some standard daily amounts, 16M 
and beyond.  We don't know that about ECC nor 3DES.

Coming back to public key choice, it is now an open question:  Do we 
recommend just RSA for now and wait until the new curves come on line? 
Or stick with ECC as it is now available, because fears are overblown? 
I don't know the answer to that one, but framing the question is often 
half the battle.


More information about the Ach mailing list