Re: [CFRG] NSA vs. hybrid

["Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>]

While I agree that updating TLS with new KEMs doesn't have to be done at the same time as we update the certificates, I don't believe we want to take too long.

One complication that certificates have over KEMs (in the context of TLS) is that there are more parties involved.  For the KEM, we need to update the client and the server; once we do that, the client will propose the updated postquantum 'groups', the server will accept that proposal and we are good to go.

In contrast, to update the certificate, we also need to get a third party involved (the CA, which needs to issue both the new postquantum certificate root, as well as the postquantum certificate to the servers - there may be even more parties involved, if the RAs are run by separate entities).  Because there are more parties involved that all need to be upgraded before we're protected, we can expect the timeframes to take longer.

Hence, even though postquantum authentication might appear to be a less urgent need, the task of upgrading could plausibly be expected to take longer.

-----Original Message-----
From: CFRG <cfrg-bounces@irtf.org> On Behalf Of Stephen Farrell
Sent: Saturday, November 13, 2021 9:57 AM
To: cfrg@irtf.org
Subject: Re: [CFRG] NSA vs. hybrid


Hiya,

I think I'm in general agreement with djb on this. One note though...

On 13/11/2021 13:53, D. J. Bernstein wrote:
> I agree that certificate validation is a mess.

For protocols like TLS (likely to remain the most important for quite a while) I don't think we need care about changes to the web PKI for a much longer while. Maybe we should add some PQC algorithm into some TLS handshakes soon, but there is no need to change the PKI for that in the same timeframe.

In general, I'd be for slowing down much of this transition stuff, and having CFRG opine to that effect might be a good thing.

Cheers,
S.