On Thursday, 24 October 2024 17:58:18 CEST, Watson Ladd wrote:
On Thu, Oct 24, 2024 at 8:52 AM Tim Hollebeek
<tim.hollebeek=40digicert....@dmarc.ietf.org> wrote:
My personal feelings on pure vs composite are actually the
union of several
previous comments:
1. Like EKR, I actually have a weak preference for composite, all other
things being equal. Failures happen and I like backup mechanisms
when they are relatively affordable and can be afforded. ...
If there is an ecosystem that cannot afford an algorithm break in a
signature, and where other constraints are less important, there is
only one choice: hash based signatures.
The difference in security between authentication and encryption (we
do not need authentication to last more than a second beyond the
lifetime of a connection) means that the consequences of a break are
different. If tomorrow RSA was insecure, we would switch to ECC: no
hybrid certs necessary. Likewise we can deploy multiple signature
algorithms.
Of course people complain that it takes time to switch certs etc. etc.
That's exactly why we've invested in automated issuance.
and precisely why we have algorithm agility in TLS; and precisely why any
half-decent server has support for setting up two certificates: now
we use it for RSA and ECDSA, but we need to be able to use it with ECDSA
and ML-DSA, _soon_
and for that we need the signature scheme IDs
--
Regards,
Alicja (nee Hubert) Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
