[Bug 26080] Remove unsafe named curves from Web Crypto API from bugzilla@jessica.w3.org on 2014-06-12 (public-webcrypto@w3.org from June 2014)

From: <bugzilla@jessica.w3.org>
Date: Thu, 12 Jun 2014 22:08:10 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-26080-7213-DwTMuknFui@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26080

--- Comment #3 from Greg Slepak <hi@okturtles.com> ---
(In reply to Ryan Sleevi from comment #2)
> (In reply to Greg Slepak from comment #0)
> > In reference to, and as part of the recommendation received in, bug 25839,
> > I'm creating this issue to request that:
> > 
> > 1. The curves that are listed as unsafe in [1] be removed from the Named
> > Curves.
> 
> Presumably, [1] is http://safecurves.cr.yp.to/
> 
> The statement about "unsafe" is a statement with nuance that is not captured
> here. At [1], it's defined in the context of the set of criteria that the
> authors set out. Though reasonable, certainly true evaluation criteria, at
> the same time, their safety lacks known vulernabilities, and is widely
> deployed.
> 
> There are significant inter-operability reasons to include the curves, least
> of all being the curves status within applications like TLS and X.509.

Inter-operability should be broken for crypto that is insecure (this is not
a comment about the security of the NIST-curves, but a general remark).

> > 3. Should any Named Curves be discovered to be unsafe in the future, that
> > they be deprecated and eventually removed from the spec.
> 
> That's not going to happen, for the reasons captured (at great length) on
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=25985 . That's not how the
> web works.

Which reasons? There is a lot there (many reasons for various concerns).

>From https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_2.0:

> SSL 2.0 is disabled by default, beginning with Internet Explorer 7,[69]
> Mozilla Firefox 2,[70] Opera 9.5,[71] and Safari.

Maybe my wording is off a bit here, I just mean that broken crypto shouldn't
be pushed onto browser vendors or anyone else. It shouldn't be introduced
as part of new standards.

To take one of the unsafe curves currently specified, secp256r1 has a
questionable history [1]. What if it's found to be brute-forceable by
a supercomputer within a small time frame? Will you still keep supporting
it in your spec and thereby endangering the security of the net?

[1] http://beta.slashdot.org/story/191445

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Thursday, 12 June 2014 22:08:11 UTC