Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8FD3C1D52EA for ; Tue, 22 Oct 2024 22:47:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.105 X-Spam-Level: X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wQO2JuiqGa6c for ; Tue, 22 Oct 2024 22:47:17 -0700 (PDT) Received: from mail-40136.proton.ch (mail-40136.proton.ch [185.70.40.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86746C18DB82 for ; Tue, 22 Oct 2024 22:47:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail; t=1729662433; x=1729921633; bh=cMeatESgO3gTshH+tsOfXtniwDE0h9K6ny4b7BwMhtQ=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=J5HyWw74AQEscfCRHD9ndTNDOQLbrP0Q6oahkctXZMvb2BWxa5q2oXUsfHMYk5T9X rX/ZmCQz5Ux4tUKCP+n/pL4XbfiTfMhvMtK3k7PY0sZYA7x7COJeuNdFmWPq4P2JFN tnLLWqUjj4+4Rlpc8dVSSBPhhdDAXYSvz4fkwvaec+ffxgrhSlNxVmu9BMuP95JqxA 539G+heVxHOgW1aTY43LGQWFJB+N/1QyLKhQIUwBAQntHGXE+kaL0WUX3DsY9oDYkQ wUVfRQDpbGE3X+DntI93VaBNkeYHUd1BnyjFOkmz8/avm8ushyn3xh1lxZrUNxtu/x xww3mKqa/cBIg== Date: Wed, 23 Oct 2024 05:47:09 +0000 To: Simo Sorce From: Aron Wussler Message-ID: In-Reply-To: References: <172952468697.1996193.18317768871302868182@dt-datatracker-78dc5ccf94-w8wgc> Feedback-ID: 10883271:user:proton X-Pm-Message-ID: 14cae346b1bace26d8d6b2cc14d61498e02141cf MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="------9ba9fbbfd8ee31ef32beaccdb93418243c66af76cbd90453e8fa40a261047f4d"; charset=utf-8 Message-ID-Hash: PVSMYZWETRYIIVTLFWJ55Y3WX7Q7NKUG X-Message-ID-Hash: PVSMYZWETRYIIVTLFWJ55Y3WX7Q7NKUG X-MailFrom: aron@wussler.it X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: "openpgp@ietf.org" X-Mailman-Version: 3.3.9rc6 Precedence: list Subject: =?utf-8?q?=5Bopenpgp=5D_Re=3A_Fw=3A_New_Version_Notification_for_draft-ietf-?= =?utf-8?q?openpgp-pqc-05=2Etxt?= List-Id: "Ongoing discussion of OpenPGP issues." Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------9ba9fbbfd8ee31ef32beaccdb93418243c66af76cbd90453e8fa40a261047f4d Content-Type: multipart/mixed;boundary=---------------------52b1e0247a3440891236ede86498c539 -----------------------52b1e0247a3440891236ede86498c539 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain;charset=utf-8 Hi Simo, Thank you for having a look :) Since version 03, we moved the NIST and Brainpool curves to a different sp= ecification [1] to make this draft less controversial and slimmer. I understand your concern with HW modules, and given that additional codep= oints can be standardized with expert review (no need for an RFC), I feel = like the split draft approach caters to everyone, without slowing the main= draft down. As a side note, the KEM proposed in this draft should be FIPS certifiable:= FIPS 203 is now out, and the key derivation / combination can be seen as = an SP 800-108 derivation of the resulting secret. The CNSA 2.0 guideline d= oes not require hybrids. Cheers, Aron [1] https://github.com/openpgp-pqc/draft-ehlen-openpgp-nist-bp-comp/tree/m= ain -- Aron Wussler Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930 On Tuesday, 22 October 2024 at 22:49, Simo Sorce wrote: > On Tue, 2024-10-22 at 16:42 -0400, Simo Sorce wrote: > = > > Hi Aaron, > > = > > great work on the update! > > = > > That said I have to ask is there is apce for adding NIST ECC curves > > here. > > = > > While Ed25519/Ed448 have been recently approved for use in FIPS module= s > > via revision 5 of FIPS-186 there is yet no approval for the use of > > X25519/X448 as SP 800-56A has not been extended to cover them. > > = > > It would be useful if at least one KEM option would be defined using > > NIST curves for the classic algorithm part. > > = > > Ideally bot KEM and Signatures can use the classic NIST approved > > curves, as adding an Edwards curve implementation to existing modules > > may not be trivial and time would be better spent properly implementin= g > > ML-DSA and ML-KEM while reusing a proven and hardened P256/P384/P521 > > implementation for the classic part. > > = > > I understand the desire to avoid too many combinations, but a standard > > should also look at the practicalities of deployment IMHO. > > = > > HTH, > > Simo. > = > = > That 'apce' above is a typo for "space" ... sigh. > = > And I forgot to add that if classic NIST curves where available, then > existing and certified HW tokens that implement those curves could be > used in conjunction with a non certified software implementation of ML- > KEM and ML-DSA resulting still in a FIPS compliant tool as for KEM > combiner the PQ part is just seen as additional data and does not > "break" FIPS compliance, while for Signatures the certified signature > function is sufficient to claim a compliant verification is done. > = > This means existing tokens could be used while we wait for new ones > that can provide certified ML-KEM and ML-DSA implementations. > = > Simo. > = > -- > Simo Sorce > Distinguished Engineer > RHEL Crypto Team > Red Hat, Inc > = > _______________________________________________ > openpgp mailing list -- openpgp@ietf.org > To unsubscribe send an email to openpgp-leave@ietf.org -----------------------52b1e0247a3440891236ede86498c539-- --------9ba9fbbfd8ee31ef32beaccdb93418243c66af76cbd90453e8fa40a261047f4d Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: ProtonMail wrsEARYKAG0FgmcYjdIJkH5nYVY+/jkwRRQAAAAAABwAIHNhbHRAbm90YXRp b25zLm9wZW5wZ3Bqcy5vcmchLGd57K5KJ4FVELMO5/qM34MFFV5ejYUxSpRH yqkM9RYhBIuVslFfa7tqthSdVX5nYVY+/jkwAAAQzAD/UKAZTo2GgG8Fbt1H invqoTYP7ys/w74x5NcuUDTXLugBAP1i54NuEXNVv/XfhxBF+dCNcm8Cy/FJ Oj2Oi/GTrvYM =tJu0 -----END PGP SIGNATURE----- --------9ba9fbbfd8ee31ef32beaccdb93418243c66af76cbd90453e8fa40a261047f4d--