On Thu, Oct 24, 2024 at 12:39:28PM +0100, Stephen Farrell wrote: > > > On 23/10/2024 18:29, Bas Westerbaan wrote: > > > > Unless I overlooked something, we don't have a draft out to assign a > > SignatureAlgorithm to ML-DSA for use in TLS.
Nitpick: SignatureScheme. :-) (SignatureAlgorithm is from TLS 1.2.) > I don't think a gap in the set of documentation is > anywhere near a good reason to add things to TLS. For Post-Quantum authentication in TLS, ML-DSA is currently pretty much the only option: - PSKs have serious scaling issues. - SLH-DSA signature size causes performance issues. - Composite/Hybrid signatures do not seem to be even close to ready. Also, ML-DSA-87 is in CNSA 2.0, so barring a major surprise, with that algorithm it is when, not if it is added. I think the reason here for searching for existing draft is to avoid duplicate work. > I also agree with ekr that there's absolutely no real > rush here, despite what seems like vendor enthusiasm > for shiny new things. I don't think ML-DSA is shiny (despite being new). The rule of thumb in cryptography about shiny things is that unless you are into crypto research, stay away. On the other side, why wait? I do not see any open issues that would require research or experimentation to resolve. And historically PKI transitions have been very slow, so one needs plenty of time-to-CRQC. The impression I got from looking CNSA 2.0 specification was that the timelines looked pretty tight. -Ilari _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
