Thanks for the work on this document, it's highly appreciated!
Few comments:
- If we allow for pkcs#1v1.5 sig schemes in signatures_algorithms_cert but
not in signatures_algorithms I think we should, at the very least,
ask IANA to add a column to the SignatureScheme namespace that
includes that information
- while the descriptive text does say PKCS#1v1.5 schemes shouldn't be in
signature_algorithms, it doesn't specify peer behaviour if the other
side of the connection misbehaves ("MAY abort connection with
illegal_parameter if it's included in Client Hello or Certificate
Request signature_algorithms extension" and "MUST abort the connection
with an illegal_parameter alert if it's used in Certificate Verify
message"?)
- while the mapping for Schemes to OIDs in
draft-ietf-lamps-pq-composite-sigs
for ECDSA and EdDSA is clear and 1-to-1, that's not the case for RSA.
The draft-ietf-lamps-pq-composite-sigs specifies RSA with specific key
sizes, and for example we have both id-HashMLDSA65-RSA3072-PSS-SHA512
and id-HashMLDSA65-RSA4096-PSS-SHA512... which one should be used with
mldsa65_rsa_pss_pss_sha384?
- same for the hash function, the draft-ietf-lamps-pq-composite-sigs uses
SHA-512 for the combinations with ML-DSA65, while this draft specifies
SHA-384... I think they should be aligned and identical: the
draft-ietf-lamps-pq-composite-sigs schemes should be considered atomic,
with a key of id-HashMLDSA65-RSA3072-PSS-SHA512 able to perform
signatures
only with that scheme, not with arbitrary hash functions...
On Saturday, 16 November 2024 06:57:17 CET, tirumal reddy wrote:
Hi all,
The updated draft
https://datatracker.ietf.org/doc/draft-reddy-tls-composite-mldsa/,
incorporates feedback received from the WG. It outlines how
ML-DSA in combination with traditional algorithms can be
utilized for authentication in TLS 1.3.
Further, comments and suggestions are welcome.
Best Regards,
-Tiru
---------- Forwarded message ---------
From: <internet-dra...@ietf.org>
Date: Thu, 14 Nov 2024 at 16:55
Subject: New Version Notification for draft-reddy-tls-composite-mldsa-00.txt
To: Tirumaleswar Reddy.K <kond...@gmail.com>, John Gray
<john.g...@entrust.com>, Scott Fluhrer <sfluh...@cisco.com>,
Timothy Hollebeek <tim.holleb...@digicert.com>
A new version of Internet-Draft draft-reddy-tls-composite-mldsa-00.txt has
been successfully submitted by Tirumaleswar Reddy and posted to the
IETF repository.
Name: draft-reddy-tls-composite-mldsa
Revision: 00
Title: Use of Composite ML-DSA in TLS 1.3
Date: 2024-11-14
Group: Individual Submission
Pages: 8
URL:
https://www.ietf.org/archive/id/draft-reddy-tls-composite-mldsa-00.txt
Status: https://datatracker.ietf.org/doc/draft-reddy-tls-composite-mldsa/
HTML:
https://www.ietf.org/archive/id/draft-reddy-tls-composite-mldsa-00.html
HTMLized:
https://datatracker.ietf.org/doc/html/draft-reddy-tls-composite-mldsa
Abstract:
This document specifies how the post-quantum signature scheme ML-DSA
[FIPS204], in combination with traditional algorithms RSA-
PKCS#1v1.5,RSA-PSS, ECDSA, Ed25519, and Ed448 can be used for
authentication in TLS 1.3. The composite ML-DSA approach is
beneficial in deployments where operators seek additional protection
against potential breaks or catastrophic bugs in ML-DSA.
The IETF Secretariat
--
Regards,
Alicja (nee Hubert) Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
