Use TLS elliptic curve names consistently

[kenjenkins]

Page: https://www.pomerium.com/docs/internals/cryptography#encryption-in-transit

What's incorrect or missing

The "Downstream TLS" section includes "secp256r1" in the elliptic curves list, while the "Upstream TLS" section includes "P-256". I think these are two different names for the same curve?

What's the resolution?

If these are indeed the same, we should probably pick one name and use it consistently in both sections.

Reference

• https://datatracker.ietf.org/doc/html/rfc4492#appendix-A

[ZPain8464]

@kenjenkins yeah nice catch. I also noticed this pretty egregious example in the Manual Verification section of Identity Verification; it lists all three aliases. In the OpenSSL command itself, prime256v1 is used.

Do you feel strongly about using any of these aliases? For readability, I feel like "P-256" is the best option, but it might make sense to use the alias used in the OpenSSL command.

[kenjenkins]

I think "P-256" probably makes sense.

I'd agree that listing all three names in the Identity Verification page snippet may be overkill, but I don't feel too strongly about it. If we just leave "NIST P-256" in the text, and keep prime256v1 in the openssl command, that's probably fine? My guess is that "P-256" looks enough like prime256v1 that most readers wouldn't be confused by the difference.