On 6/7/24 2:36 PM, Eric Rescorla wrote:
On Fri, Jun 7, 2024 at 11:41 AM D. J. Bernstein <d...@cr.yp.to> wrote:
Eric Rescorla writes:
> I'm struggling to understand what people think is at stake here.
The WG will soon be faced with decisions regarding which curve+PQ
hybrids to recommend for TLS.
It's important to distinguish between two senses of the word "recommend".
- Is marked "Recommended=Y" in the registry.
- Having the RFC say that you SHOULD/MUST support an algorithm.
The word "recommended" notwithstanding, these are different things.
For example, RFC 8446 says:
A TLS-compliant application MUST support key exchange with secp256r1
(NIST P-256) and SHOULD support key exchange with X25519 [RFC7748].
But the IANA registry also lists X4448 and secp384r1 as "Recommended=Y".
I will also point out that even though x25519 is 'only' SHOULD, it's the
most selected option, while p256 is the most 'available' (by a small
margin). I would expect similiar behavior with hybrid.
This has little do do with the IETF's recommendation and the actual
behavior of the vendors. Almost certainly, no matter what is said in
this forum, as we see deployments X25519+ML-KEM will be the most
commonly sent variant sent in the initial hello, with some number of
p-256+ML-KEM sent from those clients that for some compliance reason
can't do X25519+ML-KEM (or believe they can't do that combination*).
There will even be (very few) p385+ML-KEM sends out there. Those
requiring compliance will almost certainly be willing to HRR to get to
their preferred algorithm. The IEFT can make all the recommendations
they want, but as long as it's allowed, vendors will do what they need.
As such, while this thread definitely has useful and interesting
information (thank cloudfire for your metrix of TLS 1.3 connections!),
it doesn't really deserve the heat it seems to generate because it's not
really a life or death of the internet. No one is going to send multiple
hybrid on the same connection. Vendors will choose as their business
needs dictate.
bob
So, what configuration are you advocating for here? Here are some options:
P-256+ML-KEM X25519+ML-KEM
----------------------------------------------------
Recommended=Y, MAY Recommended=Y, MAY
Recommended=N, MAY Recommended=Y, MAY
Recommended=Y, MAY Recommended=Y, MUST/SHOULD
Recommended=N, MAY Recommended=Y, MUST/SHOULD
One of these? Or some other?
yes, and none of them say which you will put in your hello message,
which I think Dan is asking for and which the Working Group is actively
saying "It's up to the vendors".
-Ekr
_______________________________________________
TLS mailing list --tls@ietf.org
To unsubscribe send an email totls-le...@ietf.org
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
