Re: [TLS] Requesting working group adoption of draft-stebila-tls-hybrid-design

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

Hiya,

On 12/02/2020 22:57, Blumenthal, Uri - 0553 - MITLL wrote:
> I don't expect you to be knowledgeable about 25+ proposed 
> algorithms.

I didn't mean it was you forcing that on me, but if you
want to give it a shot... :-)

> 
> I expect you to be knowledgeable about the ballpark of the new key 
> sizes that practically all of the candidates use. The shortest keys 
> are in the ballpark of a few KB, and I won't go into the size of the 
> largest ones.

Sorry but my understanding is that there are relatively
complicated combinations involving both performance and
sizes of the various PDUs and stored keys involved. I don't
think it'd be a good plan to specify how to handle that
on the Internet until the details are better known and
understood and the set of possible options is small enough
to be sensibly evaluated in detail. IMO, we're not there
yet. (And I'll bet a beer that even after we have 'em,
each of the "winners" arrives with 5 or so variants;-()

> 
> You may not want to *adopt* them now - but you better be ready to 
> support Key Exchange for sizes far larger than what's currently 
> implemented. And keep in mind that while Signatures aren't a
> priority yet, that will come eventually.

We knew that years ago. The sky hasn't fallen yet. I
doubt it'll fall in the next 12-18 months. In contrast
I would not be at all surprised to find we'd made a
well-meaning mistake in trying to standardise this
stuff in the absence of a broad understanding of the
detail.

Maybe putting it another way might help: my experience
is that the worst work I've done involved such ignorance
and what I think of as the less bad work I've done did
not. Maybe others are better than me at dealing with
"known unknowns" though, though IIRC the circumstances
that lead to that phrase didn't pan out as well as had
been hoped.

And one minor addendum:

On 12/02/2020 23:41, Watson Ladd wrote:
> What's the point of composite schemes after the NIST competition 
> finishes?

SHA-0:-)

Cheers,
S.


> 
> 
> 
> On 2/12/20, 5:50 PM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> 
> wrote:
> 
> Hiya,
> 
> On 12/02/2020 21:57, Martin Thomson wrote:
>> Only a few of them.  Some are OK, but the number is few, I agree. I
>> haven't found a good summary of the second round candidates and I
>> don't have time to dig into all of the candidates.
> 
> Fine reason to wait and see IMO.
> 
> I'd be much happier adopting this if we did that with the explicit 
> understanding that we won't produce an RFC until the "winners" in
> the NIST process are known and their properties understood. (I don't
> mean waiting for a FIPS or formal NIST document but at least for the
> final announcement from their process.)
> 
> If the plan were to adopt this and produce an RFC now (e.g. to mix 
> different curves or something) then I am against that. There's no 
> need for such combinations so the real rationale here is PQC and we 
> (at least I, but I suspect also many IETF participants) don't know 
> enough about the relevant algorithms yet. (And expecting us to be 
> knowledgeable about 25+ algorithms isn't realistic.)
> 
> Cheers, S.
> 
> 
>