On Monday, 4 November 2024 14:39:12 CET, Peter C wrote:
Tirumal Reddy wrote:
SLH-DSA is not proposed for the end-entity certificates, it is preferred
for CA certificates (please see the 3rd paragraph in
https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html#section-2)
Yes, except the introduction says:
“This memo specifies how SLH-DSA can be negotiated for authentication
in TLS 1.3 via the ‘signature_algorithms’ and ‘signature_algorithms_cert’
extensions.”
which certainly implies end-entity certificates with SLH-DSA public keys.
I realise that a single SignatureScheme registry is used for
both extensions, so
if you are not proposing SLH-DSA end-entity certificates then you need to be
more explicit that it is not recommended for use in signature_algorithms.
I think that's more of an argument for marking it as "Recommended = N"
in the registry than outright forbidding it in CertificateVerify.
Yes, it's totally overkill for signing TLS messages, and normal Internet
clients and servers should not use it, but I think forbidding it for
signature_algorithms and not signature_algorithms_cert will just complicate
implementations unnecessairly.
Peter
From: tirumal reddy <kond...@gmail.com>
Sent: 04 November 2024 07:16
To: Peter C <pete...@ncsc.gov.uk>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Re: New Version Notification for
draft-tls-reddy-slhdsa-00.txt
Hi Peter,
Please see inline
On Sun, 3 Nov 2024 at 22:17, Peter C <pete...@ncsc.gov.uk> wrote:
Tiru,
Is SLH-DSA considered a practical option for TLS end-entity certificates?
Under realistic network conditions, TLS handshakes with full
SLH-DSA certificate chains seem to be about 5-10 times slower
than traditional certificate chains and, in some cases, can take
on the order of seconds. See, for example, the results in
https://eprint.iacr.org/2020/071,
https://eprint.iacr.org/2021/1447,
https://mediatum.ub.tum.de/1728103 and
https://thomwiggers.nl/post/tls-measurements/.
I agree that there’s an argument for using SLH-DSA in root
certificates, but I’m surprised it’s being proposed for the full
chain.
SLH-DSA is not proposed for the end-entity certificates, it is
preferred for CA certificates (please see the 3rd paragraph
in https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html#section-2)
-Tiru
Peter
From: Russ Housley <hous...@vigilsec.com>
Sent: 03 November 2024 11:13
To: tirumal reddy <kond...@gmail.com>
Cc: IETF TLS <tls@ietf.org>
Subject: [TLS] Re: New Version Notification for
draft-tls-reddy-slhdsa-00.txt
Thanks for doing this work. I hope the TLS WG will promptly adopt it.
Russ
On Nov 2, 2024, at 8:15 PM, tirumal reddy <kond...@gmail.com> wrote:
Hi all,
This draft
https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/
specifies how the PQC signature scheme SLH-DSA can be used for
authentication in TLS 1.3.
Comments and suggestions are welcome.
Regards,
-Tiru
---------- Forwarded message ---------
From: <internet-dra...@ietf.org>
Date: Sun, 3 Nov 2024 at 05:39
Subject: New Version Notification for draft-tls-reddy-slhdsa-00.txt
To: Tirumaleswar Reddy.K <kond...@gmail.com>, John Gray
<john.g...@entrust.com>, Scott Fluhrer <sfluh...@cisco.com>,
Timothy Hollebeek <tim.holleb...@digicert.com>
A new version of Internet-Draft draft-tls-reddy-slhdsa-00.txt has been
successfully submitted by Tirumaleswar Reddy and posted to the
IETF repository.
Name: draft-tls-reddy-slhdsa
Revision: 00
Title: Use of SLH-DSA in TLS 1.3
Date: 2024-11-02
Group: Individual Submission
Pages: 8
URL: https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.txt
Status: https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/
HTML: https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-tls-reddy-slhdsa
Abstract:
This memo specifies how the post-quantum signature scheme SLH-DSA
[FIPS205] is used for authentication in TLS 1.3.
--
Regards,
Alicja (nee Hubert) Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
