Hi Kai, hi Robert, Robert Relyea schrieb am Montag, 25. September 2023 um 19:02:57 UTC+2:
On 9/22/23 7:42 AM, Kai Engert wrote: > Hi Falko, > > On 22.08.23 08:52, Falko Strenzke wrote: >> Our two interests are PQC algorithms for TLS in Firefox and S/MIME in >> Thunderbird. As I understand it you are working on the former. > > does the experimental code in bug 1775046, which John mentioned, help > you in any way for your request? The relevant algorithms standards are still in Draft (no one is going to use stateful hashes to sign email). TLS key exchange is the current low hanging fruit (hybrid gives you resistance to record and playback in the PQ case, and resistance to potential classic attacks against our very new PQ algorithms). S/MIME is another matter. You do care about keeping your email free from decryption in the future, so key exchange is a priority. But you then need to decide do you want hybrid key exchange, or pure PQ. You need X509 to define which type of key exchange certs you want. If your message has multiple users, you are vulnerable to the weakest (so if one recipient is using a classical algorithm, the attacker can decrypt the message with a quantum computer in the future even if you are using a hybrid or PQ key yourself. if one recipient is using pure PQ and that algorithm develops a classical attack, you become vulnerable). There exists a draft for using KEM in CMS <https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-kemri/> and as I understand it, for the integration in S/MIME not too much more is necessary. The security issues you mention are obviously a concern, as is the use of outdated schemes generally in such aged protocols (for instance malleable CBC encryption in S/MIME). That could only be addressed by policies enforced by the e-mail client. > > Would you be able to build Firefox yourself with that experimnental > code, and perform interoperability tests? > > Regarding S/MIME, I'm not aware of anyone working on PQC support for > the CMS code in the NSS library yet, and I personally haven't seen any > plans for that yet either. > > Are there already specifications/RFCs that describe how to use PQC > algorithms with CMS for S/MIME? Kai is absolutely right. I think people are at the 'talking about it' stage for CMS and S/MIME. I know that they've fed comments back to NIST before the drafts. The fact the Classic McCliese is not one of the original standards sort of tells me that CMS and S/MIME are not as advanced in their pre-standards work as TLS (since these are the one protocol that would likely benefit from a large, expensive, but highly secure KEA). Interesting that you see McEliece for S/MIME. According to my knowledge, one problem here is that the own encryption certificates are usually send along with the encrpted message, thus always incurring the large McEliece key. But that problem could probably be solved by smarter decisions in the clients as to when there is a need to send one's one encryption certificate and when not. > > If yes, do those specifications use the same algorithms as TLS? > > If yes, a project to add PQC support to the CMS module of the NSS > library could use the NSS algorithm implementations. > > As of today, I haven't seen any plans to work on that. Unless Firefox > has a need for CMS, then this kind of enhancement would likely have to > be driven by the Thunderbird Project, or by contributors who would > like to see this functionality added to Thunderbird. I currently come to the conclusion that a proof-of-concept implementation that can make use of PQC certificates is much easier to reach for TLS – namely by just adding PQC signature algorithms to X.509 (IETF draft exist) and to TLS (draft not yet existing, but content would be trivial) – than for S/MIME, where I think that even though drafts and RFCs exist for signature and KEM in CMS, the implementation would require much more effort. However, as Robert pointed out, for TLS the pressing "store now – decrypt later" problem can be addressed without the need for PQC certificates, which is not the case for S/MIME, and thus the PQC-enabling the latter would thus maybe be the more intersting use case for an experimental implementation. - Falko > > I don't have answers for your other questions. > > Regards > Kai > -- You received this message because you are subscribed to the Google Groups "dev-tech-crypto@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-crypto+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/a4e8beeb-20b7-4653-8785-6d51a70a93fdn%40mozilla.org.
