Tirumal Reddy wrote: > SLH-DSA is not proposed for the end-entity certificates, it is preferred > for CA certificates (please see the 3rd paragraph in > https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html#section-2)
Yes, except the introduction says: "This memo specifies how SLH-DSA can be negotiated for authentication in TLS 1.3 via the 'signature_algorithms' and 'signature_algorithms_cert' extensions." which certainly implies end-entity certificates with SLH-DSA public keys. I realise that a single SignatureScheme registry is used for both extensions, so if you are not proposing SLH-DSA end-entity certificates then you need to be more explicit that it is not recommended for use in signature_algorithms. Peter From: tirumal reddy <kond...@gmail.com> Sent: 04 November 2024 07:16 To: Peter C <pete...@ncsc.gov.uk> Cc: IETF TLS <tls@ietf.org> Subject: Re: [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt Hi Peter, Please see inline On Sun, 3 Nov 2024 at 22:17, Peter C <pete...@ncsc.gov.uk<mailto:pete...@ncsc.gov.uk>> wrote: Tiru, Is SLH-DSA considered a practical option for TLS end-entity certificates? Under realistic network conditions, TLS handshakes with full SLH-DSA certificate chains seem to be about 5-10 times slower than traditional certificate chains and, in some cases, can take on the order of seconds. See, for example, the results in https://eprint.iacr.org/2020/071, https://eprint.iacr.org/2021/1447, https://mediatum.ub.tum.de/1728103 and https://thomwiggers.nl/post/tls-measurements/. I agree that there's an argument for using SLH-DSA in root certificates, but I'm surprised it's being proposed for the full chain. SLH-DSA is not proposed for the end-entity certificates, it is preferred for CA certificates (please see the 3rd paragraph in https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html#section-2) -Tiru Peter From: Russ Housley <hous...@vigilsec.com<mailto:hous...@vigilsec.com>> Sent: 03 November 2024 11:13 To: tirumal reddy <kond...@gmail.com<mailto:kond...@gmail.com>> Cc: IETF TLS <tls@ietf.org<mailto:tls@ietf.org>> Subject: [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt Thanks for doing this work. I hope the TLS WG will promptly adopt it. Russ On Nov 2, 2024, at 8:15 PM, tirumal reddy <kond...@gmail.com<mailto:kond...@gmail.com>> wrote: Hi all, This draft https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/ specifies how the PQC signature scheme SLH-DSA can be used for authentication in TLS 1.3. Comments and suggestions are welcome. Regards, -Tiru ---------- Forwarded message --------- From: <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>> Date: Sun, 3 Nov 2024 at 05:39 Subject: New Version Notification for draft-tls-reddy-slhdsa-00.txt To: Tirumaleswar Reddy.K <kond...@gmail.com<mailto:kond...@gmail.com>>, John Gray <john.g...@entrust.com<mailto:john.g...@entrust.com>>, Scott Fluhrer <sfluh...@cisco.com<mailto:sfluh...@cisco.com>>, Timothy Hollebeek <tim.holleb...@digicert.com<mailto:tim.holleb...@digicert.com>> A new version of Internet-Draft draft-tls-reddy-slhdsa-00.txt has been successfully submitted by Tirumaleswar Reddy and posted to the IETF repository. Name: draft-tls-reddy-slhdsa Revision: 00 Title: Use of SLH-DSA in TLS 1.3 Date: 2024-11-02 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.txt Status: https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/ HTML: https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-tls-reddy-slhdsa Abstract: This memo specifies how the post-quantum signature scheme SLH-DSA [FIPS205] is used for authentication in TLS 1.3.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
