I get the criticism of ECDH-ES with JWT in vivo, but not the linked tweets' broa... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

FreakLegion on Aug 25, 2021 | parent | context | favorite | on: API Tokens: A Tedious Survey

I get the criticism of ECDH-ES with JWT in vivo, but not the linked tweets' broadside against it in vitro. Are we not just talking about ECIES?

tptacek on Aug 25, 2021 [–]

It's all the things that had to go wrong all at once. P-curves, not Curve25519 (where curve point validation is less important). Static-ephemeral ECDH, so there's a key to target. Long-term durable keys. I'm not making an argument against ECIES (though I guess I'd push not to use the P-curves).

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact