Hello Alice, On Wed, 2016-10-19 at 13:40 -0700, Alice Wonder wrote: > On 10/19/2016 11:34 AM, Leonard den Ottolander wrote: > > Personally I would be more concerned whether or not to enable ECDSA > > algorithms (https://blog.cr.yp.to/20140323-ecdsa.html). > For web server ECDSA certs is currently a concern because the only > curves with popular support across browsers have parameters that were > chosen for undocumented reasons. > > That doesn't mean they are vulnerable but there is a question. > > OpenSSH uses Curve25519 for ECDSA which has documented reasons for the > parameters chosen and thus are far less likely to be nefariously chosen. > > At least that's my understanding of the situation, which could be flawed. The point Bernstein makes in the article I referenced is not so much that the NIST curves are suspect (for the reasons you mention) but the fact that the ECDSA algorithm itself is such that it is virtually impossible to implement in such a way that the code uses constant time. This opens the door for side channel (timing) attacks. The fact that you use a "nothing up my sleeve" curve does not change that fact. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research