Russ Housley wrote:
>Thanks for doing this work.  I hope the TLS WG will promptly adopt it.
+1

”Conversely, the fast version prioritizes speed over signature size, minimizing 
the time required to generate and verify signatures.”

This is incorrect. The “f” versions only have faster key generation and 
signing. They have slower verification.

Cheers,
John

From: Peter C <Peter.C=40ncsc.gov...@dmarc.ietf.org>
Date: Sunday, 3 November 2024 at 17:49
To: tirumal reddy <kond...@gmail.com>
Cc: IETF TLS <tls@ietf.org>
Subject: [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt
Tiru,

Is SLH-DSA considered a practical option for TLS end-entity certificates?

Under realistic network conditions, TLS handshakes with full SLH-DSA 
certificate chains seem to be about 5-10 times slower than traditional 
certificate chains and, in some cases, can take on the order of seconds.  See, 
for example, the results in https://eprint.iacr.org/2020/071, 
https://eprint.iacr.org/2021/1447, https://mediatum.ub.tum.de/1728103 and 
https://thomwiggers.nl/post/tls-measurements/.

I agree that there’s an argument for using SLH-DSA in root certificates, but 
I’m surprised it’s being proposed for the full chain.

Peter

From: Russ Housley <hous...@vigilsec.com>
Sent: 03 November 2024 11:13
To: tirumal reddy <kond...@gmail.com>
Cc: IETF TLS <tls@ietf.org>
Subject: [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt

Thanks for doing this work.  I hope the TLS WG will promptly adopt it.

Russ

On Nov 2, 2024, at 8:15 PM, tirumal reddy <kond...@gmail.com> wrote:

Hi all,

This draft https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/ specifies 
how the PQC signature scheme SLH-DSA can be used for authentication in TLS 1.3.
Comments and suggestions are welcome.

Regards,
-Tiru
---------- Forwarded message ---------
From: <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>>
Date: Sun, 3 Nov 2024 at 05:39
Subject: New Version Notification for draft-tls-reddy-slhdsa-00.txt
To: Tirumaleswar Reddy.K <kond...@gmail.com<mailto:kond...@gmail.com>>, John 
Gray <john.g...@entrust.com<mailto:john.g...@entrust.com>>, Scott Fluhrer 
<sfluh...@cisco.com<mailto:sfluh...@cisco.com>>, Timothy Hollebeek 
<tim.holleb...@digicert.com<mailto:tim.holleb...@digicert.com>>


A new version of Internet-Draft draft-tls-reddy-slhdsa-00.txt has been
successfully submitted by Tirumaleswar Reddy and posted to the
IETF repository.

Name:     draft-tls-reddy-slhdsa
Revision: 00
Title:    Use of SLH-DSA in TLS 1.3
Date:     2024-11-02
Group:    Individual Submission
Pages:    8
URL:      https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.txt
Status:   https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/
HTML:     https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-tls-reddy-slhdsa

Abstract:

   This memo specifies how the post-quantum signature scheme SLH-DSA
   [FIPS205] is used for authentication in TLS 1.3.

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to