W3C home > Mailing lists > Public > public-credentials@w3.org > May 2022

Re: Updating SafeCurves for 2022...

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 25 May 2022 18:16:28 -0400
To: public-credentials@w3.org
Message-ID: <0815916a-320f-0a81-6dfe-714b692e81c8@digitalbazaar.com>
On 5/25/22 1:28 PM, Shawn Butterfield wrote:
> It comes down to making commitments to customers now that create the best 
> fit for their needs in the future. Ed25519 infra provider support needs to 
> happen before we can build enterprise-grade platform support around it.

+1 Shawn... and one of the most frustrating aspects of what we do here is
looking at what's NIST approved and wondering which decade we'll actually be
able to offer it to our customers. That Ed25519 is FIPS 186-5 compliant (but
only in the Draft!) was a hollow victory... 'cause it'll be years before a
certified HSM makes its way through the process (maybe!? who knows!?)

Christopher, having engaged with a fair number of corporate customers, as you
have... what Shawn says resonates. At some level, NIST's cryptography review
process is broken and can't seem to keep up with modern cryptography (or has
no easy process for doing so)... on the other hand, perhaps they're going at
just the right speed (but I doubt it).

When you have Intel putting Direct Anonymous Attestation into their CPUs since
2014 and shipping 2.4B devices with Enhanced Privacy ID (EPID)... and you see
no mention of this from NIST (perhaps I missed the memo?) -- it really points
out that something is wrong.

That said, enterprises tend to adopt new crypto at a much more rapid pace...
WAAY before government. Folks like Intel, Cisco, etc. can't wait for the
government to play catch up. The whole security approach/model seems wrong...
much like the way a lot of industry security auditing is done (which focuses
more on if you have a documented process that's auditable than your ability to
be responsive to catastrophic security failures, for example). "Sure, we have
cryptographic agility... but our customer only really tested with secp256r1,
and we're pretty sure if that's compromised, we couldn't roll back to
RSASSA-PSS if we wanted to because it'll break half the ecosystem!"

There is a bit of security theatre going on in large enterprises and
government. There is no insistence that part of the acceptance criteria is to
demonstrate support for cryptographic agility not only at the product level,
but the ecosystem level as well. The latter is the hard work that tends to not
happen... at least, that has been our experience.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Received on Wednesday, 25 May 2022 22:16:45 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 25 May 2022 22:16:46 UTC