- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 10 Oct 2014 10:13:57 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>, Brian Smith <brian@briansmith.org>
Brian Smith noted some minor issues with the use of security level to specify minimum ECDHE curve size. Primarily, security level is based on an evaluation of the curve, which can change over time (usually it decreases). If we intend to specify a 128 bit security level, we might technically exclude the NIST P256 curve if there is a cryptanalytic advance. Secondly, if the CFRG chooses to bless 25519, then it would be foolish of us to exclude what is a perfectly good curve; currently it is considered to have a security level of ~126 bits. The intent of this requirement was to avoid intentionally weak curve choices from being used, not to generate potential ambiguity. So, I'm going to propose that we simply reduce the minimum to 112 bits. At 112 the elliptic curve is still stronger than the finite field Diffie-Hellman minimum of 2048 (TLS 1.3 doesn't even permit the use of something that weak). ECRYPT II estimates that 112 is good until around 2030, and equivalent to 2432-bit finite field DH.
Received on Friday, 10 October 2014 17:14:25 UTC