remove curve 25519 and add sections for individual operations #37
Conversation
panva
changed the title
|
Hey 👋 Thanks for the PR! However, I realized that removing Curve25519 here might become a bit messy because we still have issues referencing both Ed25519 and Ed448 here: #27 and #28. They are also referenced from https://w3c.github.io/webcrypto/#ed25519. We could duplicate them in w3c/webcrypto of course, but it would cause some churn. Tbh, I would prefer if we could wait a bit more and see if we can get wider adoption of Curve448, then merge that into w3c/webcrypto as well, move the issues and just archive this repo. What do you think? |
Do you have an indication of that happening? #20 shows fairly clearly that it's not likely to. |
It does not look that there was a lot of progress made recently. I'm also curious if we can say something like "we follow a IETF decision" and close it until any updates? Otherwise, I'm not sure when (if?) the issues will be solved.
Curve448 is supported (only) by Node.js/Flow/Ladybird. Would it be possible to ask them for any user estimate? We (Firefox) don't have this data. I think the world is currently busy adding PQ primitives. Curve448 might not be the first priority.. |
Node.js doesn't have any such data, there's no telemetry. Flow and Ladybird see 0 usage because if the web can't use Curve448 on the account of it not being available in chrome/firefox/safari it wouldn't make sense for websites to build its use in. |
Yup, whatever the issues decision would be, Node.js will just continue to use whatever's exposed by OpenSSL even at the cost of failing WPTs. |
|
FWIW I even proposed removing Curve448 from node's webcrypto. Since we have it available in the runtime's standard library ( |
Both LAMPS and OpenPGP defined combinations of PQC+Curve448, just as they did PQC+Curve25519: https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-kem-07.html#name-algorithm-identifiers, https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-sigs-07.html#name-algorithm-identifiers, https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-12.html#name-algorithm-specifications. So, even while the focus is PQC, I still think Curve448 is worth having as well. |
(As I really don't know), how does it work? they defined an OID, does it mean that they will use it? |
It mainly means that someone wants to use it and has advocated for the inclusion in the draft (and that the IETF Working Group agrees that it's useful to have). I'm not as familiar with LAMPS but in OpenPGP, there are experimental implementations of it already: https://tests.sequoia-pgp.org/?impls=33354#Encrypt-Decrypt_roundtrip_with_v6_ML-DSA-87_Ed448_ML-KEM-1024_X448_key OpenPGP.js doesn't support it yet, there it would be useful to have (PQC and) Curve448 in WebCrypto 😇 And, usage in the wild will depend on implementations supporting it, of course. Similarly in TLS, I imagine it's not widely used because browsers don't support it, but it may get more usage if that changes 😌 |
closes #36 and introduces sections for individual operations
Preview | Diff