Re: [saag] post-X509 cryptographic identities

[Eric Rescorla <ekr@rtfm.com>]

On Tue, Feb 11, 2020 at 4:34 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 12/02/2020 00:02, Eric Rescorla wrote:
> > Well...
> > It's already straightforward to integrate PQ key establishment into TLS
> w/o
> > X.509.
>
> I don't accept "straightforward" fwiw for the reason set
> out at the end.
>

Well, I see what you say at the end, but I don't understand it. In TLS 1.3,
key establishment does not involve the cert, which is used for
authentication. So, it's straightforward to swap in a new key establishment
algorithm and we've already seen a bunch of combined EC/PQ algorithms
(masquerading as new EC curves).



> > It's also possible to do PQ authentication w/ Delegated Keys.
>
> Yes, possibly so. Delegated keys is not IMO a part of x.509
> but kind of extends that a little but is a new model.
> Should such keys become common, that might get interesting.
>

Well, the point being that you can just gradually roll out a new PQ
signature algorithm at the endpoints without touching the PKI.


> if we wanted to add PQ signatures to TLS for the Web, we would do
> > it by defining new algorithms for X.509.
>
> I agree that that is the approach most likely to be the
> initial one considered by those interested in the status
> quo:-)
>

Well, if by "interested in the status quo" you mean "by far the easiest
thing to do with the world as it is", then yes. The key point being that we
are going to have to have X.509 for the indefinite future so some new
parallel thing is extremely expensive.

-Ekr