[dns-operations] EdDSA status ?
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Jun 1 19:16:34 UTC 2018
> On Jun 1, 2018, at 2:46 PM, Chris Thompson <cet1 at cam.ac.uk> wrote:
>
> I find it a bit surprising that no-one has yet mentioned what must surely
> be in many of our minds: that the parameter choices in EdDSA are much more
> transparent than those for ECDSA, giving substantially greater confidence
> that hidden backdoors have not been built in. https://safecurves.cr.yp.to/
> is the obligatory reference.
Unfortunately, on that topic we can only speculate. We
need to recognize that the speculation is part of the
marketing of EdDSA and so not entirely unbiased, and at
the same time, we can't entirely dismiss the Dual-EC
fiasco. So it is prudent to move towards EdDSA.
However, given the long lag between spec + early code and
broad support, EdDSA is not yet a practical *alternative*
to P256. It can be fielded as an additional KSK, or perhaps
as an additional ZSK alongside P256.
--
Viktor.
More information about the dns-operations
mailing list