On 14.03.2014, at 10:02, Maxim Dounin <mdounin@mdounin.ru> wrote:
> Note well that this link correctly points out that secp521r1 isn't
> supported by IE (yet?), so it's use isn't a good idea from
> compatibility point of view, too.
IE is the odd one out when it comes to ECC curves support. All other browsers I've checked do support secp521r1 (and secp384r1/secp256r1).

We're recommending to use secp384r1 in our Applied Crypto Hardening[0] guide IF you decide to use ECC with NIST curves. If you want to provide forward secrecy to IE users you need to use ECC (ECDHE) since IE (again) is the only browser (I know of) to not support DHE.

Instead of removing curves we would actually need support for curve_lists since OpenSSL does support this if a list is passed by an application linked against it. This would open the chance to support better curves[1] with nothing-up-your-sleve numbers with a fallback to NIST curves. IMHO this could really help with the old chicken-and-egg problem of server vs. client support.

Best regards
MacLemon

Full disclosure: I'm a co-author of “Applied crypto hardening”.
[0]: https://bettercrypto.org/
[1]: http://safecurves.cr.yp.to/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx