On Mon, Nov 18, 2024 at 6:07 PM Deirdre Connolly <durumcrustu...@gmail.com> wrote:
> The CNSA 2.0 FAQ states, "Do not use a hybrid or other non-standardized QR > solution on NSS mission systems except for those exceptions NSA > specifically recommends to meet standardization or interoperability > requirements", and, "because NSA is confident that CNSA 2.0 algorithms will > sufficiently protect NSS, it does not require a hybrid solution for > security purposes." They specifically cite IKEv2 as a hybrid exception. > > > https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF > > On Mon, Nov 18, 2024, 8:37 PM Andrey Jivsov <cry...@brainhub.org> wrote: > >> The reality is that we have very tight deadlines from CNSA2.0, with >>> customers actively asking for post-quantum support. For those for whom >>> those >>> requirements apply, use of ML-DSA is not only uncontroversial, but >>> mandatory. >> >> >> CNSA 2.0, as clarified in a recent FAQ, does not prohibit ML-DSA+ECC. >> >> It is the strongest quote from NSA, but I read it as not a clear prohibition of ECC, and the adjacent text elaborates that the main concern is complexity. The CNSA 2.0 reads: "Even though hybrid solutions may be allowed or required due to protocol standards, product availability, or interoperability requirements, CNSA 2.0 algorithms will become mandatory to select at the given date, and selecting CNSA 1.0 algorithms alone will no longer be approved." So, if TLS offers ML-DSA+ECC as the only option with ML-DSA, selecting it seems to meet CNSA 2.0, by focusing on the argument that this is the ML-DSA choice, and the ECC part does not count.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
