I think we ought to consider it our duty to develop guidance for those deploying e.g. TLS now that we're
adding a plethora of new ciphersuites, some useful, some way less so, and some possibly even risky. So, you want a consensus in guidance? What to recommend for what use case? > Thus, I don’t think there’s a way to bring these two camps together, > nor do I see a need for that. I have no desire to affect the opinions of the sigint agencies who have come up with 100% contradictory positions. It's not them I care about at all, but rather those deploying the set of protocols we develop here. It is not (just) about SIGINT. IA (Information Assurance) is the other part – in some countries belonging to the same overarching agency, in others – a separate one. > Let TLS offer both hybrid and pure KEMs. For TLS, that's inherent in our current IANA regisration model and has already happened. I’m happy. 😉 > And be done with it. My point is that we are not done with it - we should be offering guidance on what to use when. If we do not do that, IMO we'd be doing a disservice to the Internet community. Again, I’m not optimistic about this. (Not to mention that we aren’t a “beacon of light” that the Internet community at large is looking at for guidance.) The argument is about risks, with opposing camps assigning different values to them. The risk areas (as I see them) are: 1. ML-KEM failing to (new?) Classic attacks (math). 2. Classic algorithms failing to (new?) Classic attacks (math). 3. Classic algorithms failing to CRQC (practical certainty, but the timeline is unknown). 4. ML-KEM failing to CRQC (math). 5. Exploitable implementation bugs in ML-KEM enabling a Classic attack. 6. Exploitable implementation bugs in Classic algorithms enabling a Classic attack. 7. Integration bugs/attack surfaces between Classic and PQ components. Depending on how one weighs and prioritizes the above risks, the recommendation is either to use Hybrid, or Pure. For example, I think that the risk of (1) is too small to seriously consider. Dan thinks (1) is a much bigger risk. How do you expect us to reach a consensus – me giving up and accepting Dan’s opinion, or vs. versa?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
