On Tue, Nov 19, 2024 at 08:52:03AM +0200, Mohit Sethi wrote:
> Hi Achim, Viktor,
>
> Answering to multiple posts in a single email.
>
> > The provisioning is frequently done "out-of-band" and the trust is
> > based on that procedure.
>
> As observed from the formal modeling exercise:
> https://a
Hi Mohit,
> B and C are fighter jets, and A is their commander. B has been
> compromised by the enemy. A tells B to self-destruct, but because B
> mounted a misbinding attack, the command goes to C.
As long as:
- each party uses it's own key-pair
(that is commonly achieved by generating a key-
On Monday, 18 November 2024 23:24:51 CET, D. J. Bernstein wrote:
Alicja Kario writes:
Unfortunately, I don't think we have a rough consensus in
LAMPS on how hybrid signatures should be done just yet, and without that,
we can't standardise it for TLS.
It's trivial to build a signature system wh
Alicja Kario writes:
> We can't use hybrid if we don't have a specification how to put hybrid
> keys into X.509 certificates.
Take a specification of how to put a Dilithium key into certificates.
Modify the spec as follows: replace Dilithium with the trivial
Ed25519+Dilithium concatenation.
This
Achim Kraus writes:
>> B and C are fighter jets, and A is their commander. B has been
>> compromised by the enemy. A tells B to self-destruct, but because B
>> mounted a misbinding attack, the command goes to C.
>
>As long as:
>[...]
But more importantly you also need to have:
- Fighter jets in
Thank you for your replies, but please allow me to explore this.
My primary question is whether a system signing a message M with both
ML-DSA-87 and an ECC method, where a clear 'path' exists tracing the
message to the ML-DSA-87 signature, would lose CNSA 2.0 compliance just
because there is some
Hi Panos,
Here are some more details on what we see in connections to Cloudflare.
To validate this theory, what would your data show if you queried for the %
> of conns that transfer <.5 or <1KB? If that is a lot, then there are many
> small conns that skew the median downwards. Or what if you ru
The standalone ML-DSA-87 option specified in this draft is CNSA 2.0 compliant.
There are no plans to support hybrid solutions for CNSA 2.0 (other than where
required due to protocol constraints, such as during key establishment in IKEv2
as pointed out earlier in this thread). As such, our CNSA 2
(and AES-256-GCM)
On Tue, Nov 19, 2024, 5:11 PM Deirdre Connolly
wrote:
> > In other words, does CNSA 2.0 tolerate ECC, by effectively ignoring its
> presence, or not?
>
> From
> https://www.ietf.org/archive/id/draft-becker-cnsa2-tls-profile-00.html:
>
> "In order to meet the goal of a consisten
> In other words, does CNSA 2.0 tolerate ECC, by effectively ignoring its
presence, or not?
>From https://www.ietf.org/archive/id/draft-becker-cnsa2-tls-profile-00.html:
"In order to meet the goal of a consistent security level for the entire
cipher suite, CNSA TLS implementations MUST only use t
On Tuesday, 19 November 2024 15:27:03 CET, D. J. Bernstein wrote:
Alicja Kario writes:
Or:
Auditor sees that P + Q system is more complex to implement and validate
than a simple Q system, therefore ML-DSA security >
ML-DSA+Ed25519 security.
Therefore the deployment of CECPQ2b = ECC+SIKE shoul
Alicja Kario writes:
> D. J. Bernstein wrote:
> > Alicja Kario writes:
> > > Auditor sees that P + Q system is more complex to implement and validate
> > > than a simple Q system, therefore ML-DSA security > ML-DSA+Ed25519
> > > security.
> > Therefore the deployment of CECPQ2b = ECC+SIKE should ha
12 matches
Mail list logo
