<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p>Hi,</p>
<p><br>
</p>
<p>Since this is a discussion around SSL, you're choices are down to what is a part of the TLS spec. Those choices are precisely between RSA, and ECC. In the upcoming TLS1.3, RSA has been dropped.<br>
</p>
<div><br>
</div>
<div><span style="background-color: rgb(255, 255, 255);">GPG only just introduced ECC support. The highly trusted libsodium uses ECC. A well respected "best practices" guide places ECC in the recommended section:</span></div>
<div><span style="background-color: rgb(255, 255, 255);"><a class="OWAAutoLink" id="LPlnk33757" href="https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc5a78a" previewremoved="true">https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc5a78a</a></span><br>
</div>
<div><span style="background-color: rgb(255, 255, 255);"><br>
</span></div>
<div><span style="background-color: rgb(255, 255, 255);"><br>
</span></div>
<div><span style="background-color: rgb(255, 255, 255);">There are valid concerns around the future impact of quantum computing here, but it's currently the best option. It's certainly not true to say "</span><span style="background-color: rgb(255, 255, 255);">the
NSA has deprecated ECC", several current NIST standards recommend ECC moving forward. The only real debate is supporting the dubious NIST curves, or the alternate 25519 we've seen in TLS 1.3.</span></div>
<div><span style="background-color: rgb(255, 255, 255);"><br>
</span></div>
<div><span style="background-color: rgb(255, 255, 255);">I wouldn't suggest for current, practical discussions there needs to be a warning against ECC.</span></div>
<div><br>
</div>
<div><br>
</div>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font color="#000000" face="Calibri, sans-serif" style="font-size:11pt"><b>From:</b> erlang-questions-bounces@erlang.org <erlang-questions-bounces@erlang.org> on behalf of code wiget <codewiget95@gmail.com><br>
<b>Sent:</b> Thursday, 31 August 2017 4:03 AM<br>
<b>To:</b> Fred Hebert<br>
<b>Cc:</b> Erlang-Questions Questions<br>
<b>Subject:</b> Re: [erlang-questions] How safe is it to leave an open SSL port on the public internet?</font>
<div> </div>
</div>
<div>
<div style="orphans:2; widows:2">Also, Fred, I re-read your post and wanted to either start a quick discussion/warn you about elliptic curves. According to the NSA: "<span style="orphans:2; widows:2">the growth of elliptic curve use has bumped up against the
fact of continued progress in the research on quantum computing, which has made it clear that
<b>elliptic curve cryptography is not the long term solution many once hoped it would be.</b></span><b>”</b></div>
<div><span style="orphans:2; widows:2"><b><br>
</b></span></div>
<div><span style="orphans:2; widows:2">The NSA has deprecated ECC, whether or not that means that some foreign actor has a crack or if they are that worried about quantum computing is to be seen, but for now it seems like we should be moving away from ECC. </span></div>
</div>
</div>
</div>
</body>
</html>