[Cryptography] open questions in secure protocol design?
dj at deadhat.com
dj at deadhat.com
Tue Jun 2 16:02:08 EDT 2015
> On 30/05/2015 02:49 am, Tony Arcieri wrote:
> Did a reasonably good engineer have access to this info? No - he
> talked here, and nobody blinked.
>
I may or may not have been a 'reasonably good engineer' in that window of
time, but back then I was actively opposing the use of ECC while my crypto
colleagues were trying to deploy it (see PKMv2 for an example of this
written down - 2048 bit RSA is what the spec requires) . My gut feeling
was that while someone may know something, there certainly wasn't a broad
understanding of the risks of ECC. "It's smaller, more efficient and
better" didn't cut it. The sharp edges have to be there somewhere.
Things are different today. Many sharp edges have been exposed. We can
express several good reasons for judging one curve against another and ECC
against RSA. I don't feed bad about deploying ECC today. There are always
risks, but they are no worse for the right ECC curves than for RSA. The
implementation risks and costs weight heavily against RSA today.
More information about the cryptography
mailing list