On Thursday, 26 December 2019 00:50:29 CET, Salz, Rich via openssl-users
wrote:
* I want to us ECDSA for my Web server's SSL certificate
via an ACME client to Let's Encrypt and maybe later BuyPass.
That’s fine.
* I thought that EC is better than RSA, but now I don't
think so. The answer seems to be: it depends.
There are trade-offs. The biggest one is that EC gives
equivalent security with a much smaller keysize.
* Safe Curves (SafeCurves:
Introduction<https://urldefense.proofpoint.com/v2/url?u=https-3A__safecurves.cr.yp.to_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=FZ0AXmFqGUcUdZYm5wdvA4_d71tTi9iIRfHWFcL8wRo&s=ntsSs3tKgynp0pN2J8Yxf8Cd1wrWobKgA4jQ_PLgtPY&e=>)
says …
FWIW, SafeCurves is mostly the guy behind 25519 :) This is not
a slam against djb, who’s kinda brilliant.
If you’re not sure what to do, perhaps follow what the browsers
do. That way if something’s wrong you’ll just be going up in
flames with the rest of the world.
If you don’t trust the NSA and therefore don’t trust NIST, do
you accept AES? What about when they approve 25519?
there's also the difference between a "is the curve a safe generic
cryptographic
primitive?" and "is the curve safe when used in X.509 and TLS?"
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic