@Tomas Mraz We currently have 11 votes Yes so it should go

If we disable the capability (and I don't know what our community members that depend on this think of that) then it makes little sense to add that in and not have the change effective for the majority of our users - i.e. adding an option almost no one is likely to turn on doesn't really get a benefit.

It will also trigger clearer feedback about this change if we make it clearer the reasons and the outcome and that extra work would be required by users to enable it. We could also decide to simply remove that code entirely.

@Tim Hudson David Benjamin provided a pretty good rationale why it should be disabled here

Also explicit curves even matching well-known ones are forbidden for FIPS purposes, so I believe that it's a reasonable step forward.
I think that keeping this code for a while fits our traditional manner to deprecate things.

@Dmitry Belyavsky I'm well aware of the reasons behind wanting to do this and I wouldn't do it half-way - I would actually remove the code - but I think we should make sure we reach out and let people know in advance - removal is the clear message. Disable (and not by default) isn't. And disable by default I also think is a half-measure. Messages in the committers community certainly don't reach those who will be impacted by this.

@Tim Hudson There was also the same poll in a distro community

I would go further, and not only (compile-time) disable explicit curves, but also in TLS drop l the legacy EC curves (1–22) obsoleted by https://www.rfc-editor.org/rfc/rfc8422.html#section-5.1.1 from the "capabilities" list in the default and FIPS providers, i.e. the ones whose code points are:
```
$ git grep -ihP '^#define\s+OSSL_TLS_GROUP_ID_\S+\s+0x00(0[\da-f]|1[0-6])$' -- include/internal/tlsgroups.h
#define OSSL_TLS_GROUP_ID_sect163k1 0x0001
#define OSSL_TLS_GROUP_ID_sect163r1 0x0002
#define OSSL_TLS_GROUP_ID_sect163r2 0x0003
#define OSSL_TLS_GROUP_ID_sect193r1 0x0004
#define OSSL_TLS_GROUP_ID_sect193r2 0x0005
#define OSSL_TLS_GROUP_ID_sect233k1 0x0006
#define OSSL_TLS_GROUP_ID_sect233r1 0x0007
#define OSSL_TLS_GROUP_ID_sect239k1 0x0008
#define OSSL_TLS_GROUP_ID_sect283k1 0x0009
#define OSSL_TLS_GROUP_ID_sect283r1 0x000A
#define OSSL_TLS_GROUP_ID_sect409k1 0x000B
#define OSSL_TLS_GROUP_ID_sect409r1 0x000C
#define OSSL_TLS_GROUP_ID_sect571k1 0x000D
#define OSSL_TLS_GROUP_ID_sect571r1 0x000E
#define OSSL_TLS_GROUP_ID_secp160k1 0x000F
#define OSSL_TLS_GROUP_ID_secp160r1 0x0010
#define OSSL_TLS_GROUP_ID_secp160r2 0x0011
#define OSSL_TLS_GROUP_ID_secp192k1 0x0012
#define OSSL_TLS_GROUP_ID_secp192r1 0x0013
#define OSSL_TLS_GROUP_ID_secp224k1 0x0014
#define OSSL_TLS_GROUP_ID_secp224r1 0x0015
#define OSSL_TLS_GROUP_ID_secp256k1 0x0016
```

@Viktor Dukhovni are they available in FIPS provider at all?

I support your idea, but not sure I will have capacity for it. Also it should be a separate define