RS-018: Require ECDH with NIST curves instead of finite field DH

I hate having to make this change, but CMS EnvelopedData values in PKI.js can't use any other key exchange algorithm: https://github.com/PeculiarVentures/PKI.js/blob/1a2e766d4ab9535dc6d754008d8cb4a2ae96ac3d/src/EnvelopedData.js#L1265-L1281 See also: relaycorp/relaynet-core-js#29
AwalaApp · Dec 11, 2019 · 5db14f0 · 5db14f0
1 parent c08ed00
commit 5db14f0
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/rs018-algorithms.md b/rs018-algorithms.md
@@ -43,9 +43,11 @@ Implementations MUST support SHA-256 (OID `2.16.840.1.101.3.4.2.1`) and they SHO
 
 ### Key Exchange Algorithms
 
-Implementations MUST support Diffie-Hellman (DH; OID `1.2.840.113549.1.3.1`) with the [2048-bit MODP Group](https://tools.ietf.org/html/rfc3526#section-3), and they SHOULD also support DH with the [3072-bit](https://tools.ietf.org/html/rfc3526#section-4) and the [4096-bit MODP Group](https://tools.ietf.org/html/rfc3526#section-5). [6144-bit](https://tools.ietf.org/html/rfc3526#section-6) and [8192-bit MODP groups](https://tools.ietf.org/html/rfc3526#section-7) MAY be supported. DH groups under 2048 bits MUST NOT be supported.
+Implementations MUST support Elliptic Curve Diffie-Hellman (ECDH; OID `1.3.132.1.12`) with the NIST P-256 curve (OID `1.2.840.10045.3.1.7`). They SHOULD also support the NIST curves P-384 (OID `1.3.132.0.34`) and P-521 (OID `1.3.132.0.35`).
 
-Implementations SHOULD also support Elliptic Curve Diffie-Hellman (ECDH) with X25519 (OID `1.3.101.110`), and they MAY support ECDH with X448 (OID `1.3.101.111`).
+Implementations MAY also support the curves X25519 (OID `1.3.101.110`) and X448 (OID `1.3.101.111`).
+
+Finite field Diffie-Hellman (DH; OID `1.2.840.113549.1.3.1`) MAY also be supported, in which case implementations SHOULD only support DH groups from [RFC3526](https://tools.ietf.org/html/rfc3526) with at least 2048 bits. DH groups under 2048 bits MUST NOT be supported.
 
 ### Symmetric Ciphers