- From: <bugzilla@jessica.w3.org>
- Date: Thu, 23 Oct 2014 07:05:43 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25839 --- Comment #65 from Alyssa Rowan <akr@akr.io> --- I would add, however, that I don't think you should necessarily wait for CFRG's answer to the request of the TLS Working Group for recommendations: outside the IETF, many others haven't. (CFRG already achieved consensus that Curve25519 is good, even before the TLS Working Group's request, by the way.) X25519 (the DH algorithm using the curve Curve25519; djb changed his terminology to make things clearer there) and Ed25519 (specifically EdDSA-twistededwards25519-SHA512) have already achieved very wide public post-Snowden use, as you can indeed see on Wikipedia (Apple, OpenWhisperSystems, SSH) - so no matter what CFRG eventually recommend, not including 25519 in a crypto API like this will definitely raise eyebrows and some people will keep rolling their own, which I'm sure you want to avoid. If CFRG eventually select something else (there'll probably be a larger curve as well as a ~256-bit one, but I don't know which yet), I think you should add that to NamedCurve as well. Yes, there are multiple interoperable implementations of Curve25519's core algorithms (four or five on my last count, although not all include the scalarmul for Ed25519 as well?), including at least one in hardware. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Thursday, 23 October 2014 07:05:45 UTC