From 5db14f05a7ab4c1de3b60eb7db124a5b2dc7e31f Mon Sep 17 00:00:00 2001
From: Gus Narea <gus@relaycorp.tech>
Date: Wed, 11 Dec 2019 00:01:14 +0000
Subject: [PATCH] RS-018: Require ECDH with NIST curves instead of finite field
 DH

I hate having to make this change, but CMS EnvelopedData values in PKI.js can't use any other key exchange algorithm:
https://github.com/PeculiarVentures/PKI.js/blob/1a2e766d4ab9535dc6d754008d8cb4a2ae96ac3d/src/EnvelopedData.js#L1265-L1281

See also: https://github.com/relaycorp/relaynet-core-js/issues/29
---
 rs018-algorithms.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rs018-algorithms.md b/rs018-algorithms.md
index 94468e4..23450a0 100644
--- a/rs018-algorithms.md
+++ b/rs018-algorithms.md
@@ -43,9 +43,11 @@ Implementations MUST support SHA-256 (OID `2.16.840.1.101.3.4.2.1`) and they SHO
 
 ### Key Exchange Algorithms
 
-Implementations MUST support Diffie-Hellman (DH; OID `1.2.840.113549.1.3.1`) with the [2048-bit MODP Group](https://tools.ietf.org/html/rfc3526#section-3), and they SHOULD also support DH with the [3072-bit](https://tools.ietf.org/html/rfc3526#section-4) and the [4096-bit MODP Group](https://tools.ietf.org/html/rfc3526#section-5). [6144-bit](https://tools.ietf.org/html/rfc3526#section-6) and [8192-bit MODP groups](https://tools.ietf.org/html/rfc3526#section-7) MAY be supported. DH groups under 2048 bits MUST NOT be supported.
+Implementations MUST support Elliptic Curve Diffie-Hellman (ECDH; OID `1.3.132.1.12`) with the NIST P-256 curve (OID `1.2.840.10045.3.1.7`). They SHOULD also support the NIST curves P-384 (OID `1.3.132.0.34`) and P-521 (OID `1.3.132.0.35`).
 
-Implementations SHOULD also support Elliptic Curve Diffie-Hellman (ECDH) with X25519 (OID `1.3.101.110`), and they MAY support ECDH with X448 (OID `1.3.101.111`).
+Implementations MAY also support the curves X25519 (OID `1.3.101.110`) and X448 (OID `1.3.101.111`).
+
+Finite field Diffie-Hellman (DH; OID `1.2.840.113549.1.3.1`) MAY also be supported, in which case implementations SHOULD only support DH groups from [RFC3526](https://tools.ietf.org/html/rfc3526) with at least 2048 bits. DH groups under 2048 bits MUST NOT be supported.
 
 ### Symmetric Ciphers