Hi all! To clarify, my draft I linked to (and future profiles) are instantiations of the CNSA 2.0 advisory and FAQ as it applies to specific protocols relevant to NSS; specifically, the drafts document how we expect vendors to configure protocols in a CNSA 2.0 compliant way.
Cheers, Alie ---- Alison Becker, PhD Center for Cybersecurity Standards (CCSS) National Security Agency (NSA) ________________________________ From: Salz, Rich <rs...@akamai.com> Sent: Wednesday, November 20, 2024 10:00 AM To: Deirdre Connolly <durumcrustu...@gmail.com>; Alison Becker (GOV) <aebe...@uwe.nsa.gov> Cc: TLS@ietf.org <tls@ietf.org> Subject: Re: [TLS] Re: ML-DSA in TLS > In other words, does CNSA 2.0 tolerate ECC, by effectively ignoring its > presence, or not? >From >https://www.ietf.org/archive/id/draft-becker-cnsa2-tls-profile-00.html<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-becker-cnsa2-tls-profile-00.html__;!!GjvTz_vk!SIN74gSQMUoWRe2HgrSGcavXlJIBFbOVXhs32GuIxGoHhszT7qcuZVdMddF_GTVjmxOQzvSRSsYJXL2gT1s03A$>: "In order to meet the goal of a consistent security level for the entire cipher suite, CNSA TLS implementations MUST only use the algorithms listed in this document." That's ML-KEM-1024 and ML-DSA-87 only. It would be better if that statement were in the official CNSA document [1], such as a FAQ or something, and not in an IETF document submitted by an individual. For example in the CNSA 2.0 FAQ [2] there is a section on “Hybrids” in the which gives a subtly different opinion. Taken together, my answer to Andrey is “it seems to, yes” Perhaps we can get official clarification? [1] https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF [2] FAQ https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/1/CSI_CNSA_2.0_FAQ_.PDF
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
