On Thu, Apr 17, 2025 at 02:35:19PM -0700, Benjamin Kaduk wrote: > [trimming heavily since the text/plain component is made of lies and I don't > want to misattribute nested quotes]
Yeah, if you're using a text-based MUA HTML gets painful. > On Thu, Apr 17, 2025 at 09:17:29PM +0000, Blumenthal, Uri - 0553 - MITLL > wrote: > > > > There’s maintenance of the code for both parts of the KEM and ensuring > > they’re properly integrated, maintenance of parallel PKI structures, need > > to allocate the costs for two moves [1] instead of one which already > > makes > > some users argue (which can be a royal pain in a large deployment), > > likely > > many other things I’m too lazy to concentrate on now (besides, there’s > > that feeling that I don’t need to convince “my” clientele at all, and > > there’s little chance to convince this audience anyway, which dampens the > > eagerness to strive). > > Thanks for writing up this list. > > Just to check my understanding: the PKI only comes into play for signatures, > and there is no PKI needed for ephemeral key exchange as is used in TLS 1.3? [Not-Uri] Correct. > (For the specific case of ephemeral key exchange in TLS 1.3, it seems that the > "move" is just a software update, albeit one that needs heavy testing and in > your enviroment qualification.) ISTM that a hybrid should add very little extra code compared to the ECC and ML code. I'm unconcerned with the maintenance cost of that. There's not "two moves". You just keep deploying TLS stack updates and eventually when we're all happy with pure PQ we just stop using ECC and the hybrids. There's no PKI work needed for key exchange. Now for hybrid signature schemes for PKI... it's not too dissimilar. The biggest hurdle when it comes to PKI is that the installed based of relying parties has to implement the new signature schemes before you can really use them, though of course protocols can always negotiate support and the supplicant can pick from multiple certificates to present to the rp. Basically you have a longer tail to deprecate older signature algorithms when it comes to PKI, but that's not fatal. And yes, you'd need "parallel PKI structures", but that's mainly a problem for the CAs and the CA/Browser forum, not for everyone else, not for the relying parties, and it's not a big problem. Nico -- _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
