Cryptographic parameters #337
Description
This issue refers to the security review requested in issue w3c/security-request#55.
About parameters, in section 5.3 why just consider two security levels -128 and 192- and not 224 or 256 security bit?
For ECDSA just two curves P-256 and P-384 (128 and 192 bit security level respectively) are considered, why is P-521 (256 bits of security) not considered?
The same is for EdDSA: just Ed25519 is considered (128-bit security), why is Ed448 (224-bit security) not considered?
While P-521 is not much implemented actually, Ed448 is quite common today.
SING group discussed this topic during the meeting SING_2025-04-01 and the following reasons emerged:
- reducing the amount of optionality (because optionality could lead to non-interoperability and downgrade attacks)
- a lot of HSM don't support P-521