Re: [Curdle] New Version Notification for draft-kampanakis-curdle-pq-ssh-00.txt

Hubert Kario <> Thu, 22 October 2020 09:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CA90C3A03FC for <>; Thu, 22 Oct 2020 02:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oTlVDqmmkXA6 for <>; Thu, 22 Oct 2020 02:32:43 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CDE7D3A03FB for <>; Thu, 22 Oct 2020 02:32:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1603359161; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DRKJehimJAk0GzLiGOySlRhiqeZHcmz6+FMg7RK9Ypw=; b=IA4fLaV6qgtg/51WxsnXiZFR7F6CDFr3pcOi++thpsNdPmdre/V9ANbHaofjK9WhzTcJcI qsA+1HLuGl/aZ7XMgpJkhdE25OYSDr5Yjo2AxBnyhS3pGywUMbSSCK9c+HH1MS0KTZFRAX 3UG7Hhp8oMUf8tNiMAc/bsAsVjZfHIo=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-105-bLjyZXUZMeqWY-BkS5ePrA-1; Thu, 22 Oct 2020 05:32:36 -0400
X-MC-Unique: bLjyZXUZMeqWY-BkS5ePrA-1
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 90D051882FB1 for <>; Thu, 22 Oct 2020 09:32:35 +0000 (UTC)
Received: from localhost (unknown []) by (Postfix) with ESMTPS id E4A9A19C78 for <>; Thu, 22 Oct 2020 09:32:34 +0000 (UTC)
From: Hubert Kario <>
To: <>
Date: Thu, 22 Oct 2020 11:32:32 +0200
MIME-Version: 1.0
Message-ID: <>
In-Reply-To: <>
References: <> <>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.13.2; xcb; Linux; Fedora release 31 (Thirty One)
X-Scanned-By: MIMEDefang 2.84 on
Authentication-Results:; auth=pass smtp.auth=CUSA124A263
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Curdle] =?iso-8859-1?q?New_Version_Notification_for_draft-kampa?= =?iso-8859-1?q?nakis-curdle-pq-ssh-00=2Etxt?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Oct 2020 09:32:45 -0000

On Wednesday, 21 October 2020 20:49:50 CEST, Panos Kampanakis (pkampana) 
> Hi all,
> This draft introduces post-quantum (PQ) algorithms to SSH. It 
> includes Hybrid 
> Key exchange messages for SSH and hybrid key exchange and PQ signature 
> methods.
> Note that we do not want to standardize anything before NIST 
> has standardized 
> the first PQ algorithms. We are following a similar approach to 
> what the TLS 
> WG is doing with . 
> They will not ratify the draft before NIST's PQ Round 3 has 
> concluded (in 18 
> months or so) so they can pick an algorithm.
> draft-kampanakis-curdle-pq-ssh takes a different approach from 
> draft-kario-gss-qr-kex which was submitted recently. Basically 

Like I said in my follow-up email, I don't consider my proposal to "be all
end all", but rather something that we can quickly throw together and be
reasonably certain it will stand the test of time.

For one, the use of GSS-API in my proposal imposes serious limitations on

At the same time, we will need a GSS-API counterpart once we have a 
accepted PQ kex.

> I feel that a 
> new SSH draft would definitely not be ratified in less than 2 
> years, so there 
> ample time to work on the details and come up with the actual SSH PQ 
> identifiers after NIST has the first standardized algorithms.
> Note that the industry has done experimental work with SSH 
> performance with PQ 
> algorithms (using OQS OpenSSH). Some preliminary results of ours are here 
> and a 
> conference paper will be published in December with more 
> detailed results. So, 
> we kind of know which algorithms seem more promising from NIST's Round 3 
> algorithm Finalists. In other words, we can start the work now, instead of 
> waiting for NIST Round 3 to conclude.
> I know PQ algorithms in SSH are not in CURDLE's Charter right now, so this 
> work may require re-chartering if the WG thought it is worth to pursue.

One of problems is that I don't think we have a clear frontrunner in the
NIST competition (that makes interoperability tests more complex for one).

that being said, I'm for having a draft like this published exactly for 
voiced by Denis Bider

> Thoughts welcome.
> Rgs,
> Panos
> -----Original Message-----
> From: <>
> Sent: Wednesday, October 21, 2020 1:57 PM
> To: Douglas Stebila <>ca>; Panos Kampanakis (pkampana) 
> <>om>; Dimitrios Sikeridis <>du>; Douglas Steblia 
> <>ca>; Markus Friedl <>rg>; Torben Hansen 
> <>
> Subject: New Version Notification for draft-kampanakis-curdle-pq-ssh-00.txt
> A new version of I-D, draft-kampanakis-curdle-pq-ssh-00.txt
> has been successfully submitted by Panos Kampanakis and posted to the IETF 
> repository.
> Name:		draft-kampanakis-curdle-pq-ssh
> Revision:	00
> Title:		Post-quantum public key algorithms for the Secure Shell 
> (SSH) protocol
> Document date:	2020-10-21
> Group:		Individual Submission
> Pages:		13
> URL: 
> Status: 
> Html: 
> Htmlized:       
> Abstract:
>    This document defines hybrid key exchange methods based on classical
>    ECDH key exchange and post-quantum key encapsulation schemes.  These
>    methods are defined for use in the SSH Transport Layer Protocol.  It
>    also defines post-quantum public key authentication methods based on
>    post-quantum signature schemes.  These methods are defined for use in
>    the SSH Authentication Protocol.
> Note
>    EDNOTE: The goal of this draft is to start the standardization of PQ
>    algorithms in SSH early to mitigate the potential record-and-harvest
>    later with a quantum computer attacks.  This draft is not expected to
>    be finalized before the NIST PQ Project has standardized PQ
>    algorithms.  After NIST has standardized then this document will
>    replace TBD1, TBD3 with the appropriate algorithms and parameters
>    before proceeding to ratification.
>    EDNOTE: Discussion of this work is encouraged to happen on the IETF
>    WG Mailing List or in the GitHub repository which contains the draft:
> .
>    *Change Log* [EDNOTE: Remove befor publicaton].
>    draft-kampanakis-curdle-pq-ssh-00
>       *  Initial draft
> Please note that it may take a couple of minutes from the time 
> of submission 
> until the htmlized version and diff are available at
> The IETF Secretariat

Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic