Hi Robert, thanks for your feedback. See my answers below. Robert Relyea schrieb am Montag, 25. September 2023 um 19:23:04 UTC+2:
On 8/21/23 11:52 PM, Falko Strenzke wrote: Hi John, that is great to hear. Our two interests are PQC algorithms for TLS in Firefox and S/MIME in Thunderbird. As I understand it you are working on the former. Hash-based signatures are also interesting for us, mainly stateless ones. Are you going to support SPHINCS+ certificates for TLS, too? I don't know of anyone that's talking about hash-based signatures in any of the on-line protocols (TLS, SSH, IKE). The stateful ones have deployment issues and signature limitations, the stateless ones are have too big of keys. The use case for hash-based appears to be mostly code-signing. It's also one of the few signing operations that have long lived signatures that could create real problems for a signature made today and a quantum computer 10 years in the future. I agree that hash-based schemes will most likely not appear in EE certificates. But in the certificate chain they might very well appear, I think. There are currently concepts being discussed for stateful hash-based root CAs. We'll probably have SPHINCS+ support in NSS. We'll recognize the OIDS so if you have them in your certs, we'll validate them, but I'm pretty sure TLS will not define SPHINCS+ authentication, and I wouldn't bet that you could fit a change of SPHINCS+ signed certificates in an SSL Certificate Chain message. That's not exactly a next 12 months statement, though. Indeed I wouldn't see SPHINCS⁺ in TLS primarily (if at all). You best indicator on what will be supportable is what the actual standards bodies define. The point here is that waiting for final standards delays large scale proof-of-concept testing for PQC migration – maybe by years. What I think would be useful is having at least ML-DSA (Dilithium) as a signature algorithm for authenticating the handshake in TLS. Could you imagine integrating that in NSS? Do you think an existing (individual) RFC draft for PQC signature identifiers in TLS would help here? Will there also be a publicly available version of Firefox with PQC support? As we add support for PQC, they will be publicly available. NSS and Firefox are open source and developed out of publicly available repositories. And do you already have a decision or idea about the (temporary) certificate standard you are going to follow? If we could agree on a set of algorithms and the preliminary certificate format, that would be ideal. Temporary standards, if used, are likely to be marked experimental because they are transient standards and can change (so we worry about interoperability). Even the X25519+Kyber768 is experimental. The two areas of most work (In the entire cyrpto industry, not just firefox or NSS) is getting standardize hybrid into our streaming protocols which are subject to 'record now/decrypt later' attacks and firmware/code signing. These are the two main areas where the useful life of the encrypted/signed objects may outstrip the potential advent of a crypto relevant quantum computer. I expect that will be where most of the work occurs in 2024. Remember: the only standardized PQ algorithms right now is LMS/HSS and XMSS,XMSS/MT. That will change by early 2024 (NIST now has drafts for Kyber, Dilithium, and SPHINCS). I understand being cautious to release experimental / not yet standardised features. Is there a concept in the NSS / Firefox code base and a development workflow for such features to be integrated into the code but not being accessible in the release version? That might facilitate contributions of experimental features that are not too invasive with respect to the source code structure such as merely adding new algorithms. - Falko - Falko Am Mi., 16. Aug. 2023 um 17:55 Uhr schrieb John Schanck <jsch...@mozilla.com >: Hi Falko, we are adding support for the X25519+Kyber768 TLS key exchange to NSS. There's work-in-progress attached to Bug 1775046, although we are waiting for the (draft) NIST standard version of Kyber. We will also be adding support for some hash-based signatures to NSS. I don't expect that we will do much experimentation with non-hash-based PQ signatures in the near-term, although if there are specific systems that you're interested in evaluating I'd be happy to discuss further. John On Tue, Aug 15, 2023 at 4:38 AM Falko Strenzke <ek.st...@gmail.com> wrote: Hi, I am interested to learn whether there are any short term or medium term plans to already add experimental support for post quantum cryptography to Firefox for TLS and to Thunderbird for S/MIME. We are ourselves working on integrations of PQC into our PKI products and would be interested to be compatible with these clients in order to have a small compatible ecosystem for evaluation and demonstration of PQC readiness. Maybe some kind of cooperation is possible in this field? - Falko -- *MTG AG* Dr. Falko Strenzke Executive System Architect Phone: +49 6151 8000 24 E-Mail: falko.s...@mtg.de Web: mtg.de <https://www.mtg.de> *MTG Exhibitions – See you in 2023* ------------------------------ <https://community.e-world-essen.com/institutions/allExhibitors?query=true&keywords=mtg> <https://www.itsa365.de/de-de/companies/m/mtg-ag> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany Commercial register: HRB 8901 Register Court: Amtsgericht Darmstadt Management Board: Jürgen Ruf (CEO), Tamer Kemeröz Chairman of the Supervisory Board: Dr. Thomas Milde This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, please inform the sender immediately and delete this email. Unauthorised copying or distribution of this email is not permitted. Data protection information: Privacy policy <https://www.mtg.de/en/privacy-policy> -- You received this message because you are subscribed to the Google Groups " dev-tec...@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/773bc910-3107-4969-adc5-f28abd79b1b2%40gmail.com <https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/773bc910-3107-4969-adc5-f28abd79b1b2%40gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups " dev-tec...@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAFgAd7HfM4RRisPC0m1JThFVtKdzVCYQD8NGu8%2BG0EXwuMtfsw%40mail.gmail.com <https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAFgAd7HfM4RRisPC0m1JThFVtKdzVCYQD8NGu8%2BG0EXwuMtfsw%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "dev-tec...@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAJoiKZgdwtQ%2BRd6Qi%3DwqRqbwkKRzBkyrSFUQrOuL%3DwxdnBh-0A%40mail.gmail.com <https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAJoiKZgdwtQ%2BRd6Qi%3DwqRqbwkKRzBkyrSFUQrOuL%3DwxdnBh-0A%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "dev-tech-crypto@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-crypto+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/96817fc6-800a-44e2-91ea-b714020b98een%40mozilla.org.
