On Thu, Feb 20, 2025 at 4:39 PM Geoff Huston <g...@apnic.net> wrote:
> > > On 21 Feb 2025, at 11:17 am, Eric Rescorla via dnsdir <dns...@ietf.org> > wrote: > > > > On Thu, Feb 20, 2025 at 3:55 PM Geoff Huston via Datatracker < > nore...@ietf.org> wrote: > >> Reviewer: Geoff Huston >> Review result: Ready with Nits >> >> I was assigned as the dnsdir reviewer for draft-ietf-uta-require-tls13-05. >> For more information about the DNS Directorate, please see >> https://wiki.ietf.org/en/group/dnsdir >> >> NIT: Should the enumeration of the known deficiencies of TLS 1.2 be >> contained >> in the Introduction? The same considerations are described in Section 6, >> and >> their summation in the Introduction seems to be superfluous. >> >> NIT: the assertion in section 3 that "TLS applications will need to >> migrate to >> post-quantum cryptography" is ddependent on the expectation of the >> lifetime of >> the integrity of the encrypted object. The current advice on the >> immediate need >> to use PQC is based on an integrity lifetime of 20 years.I would feel >> better if >> the sentence read "many TLD applications..." >> > > Do you have a source for this 20 year figure? It hasn't figured heavily in > the > discussions in (say) TLS WG. > > More generally, it's very hard to estimate the meaningful lifetime of data > and even hard to measure the meaningful lifetime when a protocol can > carry multiple kinds of data (e.g., HTTP can carry data with effective > lifetime in seconds like MFA codes or decades like medical information). > Can you provide some examples of protocols which you do not think > need to transition to PQ algorithms? > > > Hi ekr > > I felt sure I had read this in a NIST publication a year or more ago, but > I cannot dredge > up the reference (apologies for my crap record keeping!). The gist of the > argument > was that if you want to maintain the integrity of an encrypted item over a > period of > time its not only the capabilities of the current computing environment > that you > need to concern yourself, but the capabilities of the future environment > near the > end of the anticipated integrity lifetime. It was in this context that a > "secret" lifetime > of 20 years was mentioned. > > As for an example of a protocol which makes short-term use of data, I would > nominate DNSSEC. > Thanks for the response. As your message implies, let's break apart the question of integrity and data origin authentication from confidentiality. In my response, I was thinking primarily of confidentiality, where (1) it's hard to bound relevant lifetime and (2) we have to worry about data which is being transmitted today because of harvest now decrypt later attacks, hence the interest in deploying PQ or hybrid for key establishment in the near future. The question of integrity is more complicated and less urgent. As you say, it's quite common not to require long lifetimes for integrity. DNSSEC is a reasonable example, but there are of course others. [0] Note that this isn't so much about what data is being transmitted as what security properties you want. For instance, DNS queries are sensitive information and so I don't think one should infer from the DNSSEC example that the the confidentiality of DoH/DoT has a short lifetime. For that reason, I think given that this document is about the use of TLS, I don't think we should try to draw a lot of domain-specific lines about when long security lifetimes are needed. -Ekr [0] In fact, TLS authentication is like this in some respects: a connection established today is not vulnerable to compromise of the signing key tomorrow. See https://educatedguesswork.org/posts/pq-rollout for more on the threat model for TLS and CRQCs.
_______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org
