[TLS] Re: RFCs on weakened crypto are not fixed by warnings
Bas Westerbaan <bas@cloudflare.com> Thu, 09 April 2026 12:28 UTC
Return-Path: <bas@cloudflare.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A4ACAD8ACF64 for <tls@mail2.ietf.org>; Thu, 9 Apr 2026 05:28:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775737683; bh=tQevTf70epZ3cFVh7WFwsX55arwmuNwFzQL+txQl0vo=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=Jr1yO5WpJTC73YErEtwCvqrdxXJcrX1+Fu69a1QX+U4+Yays3BXt78314OTu4MiJl 9pfnWtNVEEp1fb1/IjC/0BgnZBB57tpoDA4oWPjSFHAzDQBCb9wy6XqEoXS9fei1C+ T5pP20JrlOZ2h0yIe98bBo/m5MFVfipB4uclmeqk=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 340V77p1k65D for <tls@mail2.ietf.org>; Thu, 9 Apr 2026 05:28:03 -0700 (PDT)
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 52C1ED8ACF57 for <tls@ietf.org>; Thu, 9 Apr 2026 05:28:03 -0700 (PDT)
Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-79cd8f8e261so5630327b3.3 for <tls@ietf.org>; Thu, 09 Apr 2026 05:28:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775737683; cv=none; d=google.com; s=arc-20240605; b=SlKmaoY8rElbyTvWjnn3LITxZbOuamcUDDvFy4l+0tc/bpEASvOzbBStmgKpyFYsMI jvBGtKtLQ+h3WHHaQg6P3AtRUpHKkYpl5nCK12/dZFxfeYpnEc4VMgp9kfvnLMYnI7OX Xly3WZoSM3YjVXDWxEM9pvTlbra2mjSGga/iMeUfqoGmghUrtDAJ32qTItbK6ZPKrHgd mk8PKLwGStWp80fHHJK3B31BycbFoY2DF8NTs9RDfLiaHGMXhLeInG/shBZIHuc++eS1 wXUFFGz50mA4e1yEIUO3jrpP5/fQ5trn56Uf3RHGN7Od4YyY9d0pgsdRsmEoUYw46j+N ABuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=L05HghXjoOCVc25O+ZT0q6YdQ+4SSjkDMvQ8fIleqhA=; fh=emz+E4H/rpwdJJTkeKD9UjquE1ZLoE2RUVDDeD34nZE=; b=aBo6UdYiGr1VW+yq/fgfqVODe2JfXH2V/R6aUBymTdloQO3fognx0tnOgBlMmCaH0Y +ZUHAIh9YBKgdZB0toAJzH0Et86ZIUJtoz32IA8hThK4wl0OGfC/ZeaBGeY+BLpEfMRa bRhaIojBLAfp+93IVoPJuaKs+o49+IlFqHvXeZOWLseC1nYB/MzZgvCPjFkZjkwXhBQc ePuplFddnjQdqFsNkf0fxjZAZnZGS41ozbjE2UHcjUjPf77ejcrJJGQ+Z10QO4tMHhfG cqFenW/XOVcwg6MS7SDLzwUOtma+hfGdy+/Mnc+MJV8yaeeGhc91+45ppscoJIDQ/k9r R4oA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1775737683; x=1776342483; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=L05HghXjoOCVc25O+ZT0q6YdQ+4SSjkDMvQ8fIleqhA=; b=C2k1cmldTBIRL5dr68vKstwMINJagLC7IQqT3Q5xpGVYNB+uAX/U556jxprTmtKfan 6Rtm4wxlG/TlGr2VEhoB3XNL3Q7DgS5t7qBtqXs4AFVcw8Y1f0riXg0S2cLebqF4u0NP epDd/g3qdNST73T4fgFWW5LIn9mL7jDUbBoP43JIPw9dDeQhluwRJpSx2ZwP1VZ2dXvP aJJ0sMLGY/TODXn1YyXUy2tB34uK5dAw+bmukElrbbh70S4jdTlHJp9+7TMgY9PbGarA 3/aNUdCZVYZ7Ehi6jIA21lsZkgC8vNOLu9+rHjqnFBqhOX19676LlQIue5wbA1XgnktC QYbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775737683; x=1776342483; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=L05HghXjoOCVc25O+ZT0q6YdQ+4SSjkDMvQ8fIleqhA=; b=QY5KPCU45aWbq5REvJNr4yEGwGMtzXYb0TQ6SuVlIkSRXGv+WrQ8fThnK2sCGTpsGQ p6ZbsM0LgwJmgyestMajMgbg3sh07bo44irB9HTOAHfB0EgIP8IRtLGRUsqE7vacUafy 0wl4hxuXm+WkebhMxu/bXLItYkFOL038jb1jYoT+eNacsnW84LZDPlz+DSFvKrRDVNv7 PR6KNkggkSdeCQOSYbAg0j9RPSUHwM/UB131N6QDbrvSC50D1LL9GiejLTn49OHgc1AZ 5oaJ2DALjXjHmyI74sh+ebiowsZZg43RR19p5nKw/5BHWXjr5FAaMNvTSD92kQ+WK+Yn ODww==
X-Forwarded-Encrypted: i=1; AJvYcCWJ+vnOp/0tKLCNX5fuiPKVG4YGZkYpP7aQvju9gpSW6UROvNxCksOyQK/KPW33/P/4C/k=@ietf.org
X-Gm-Message-State: AOJu0YwGgA+MYQjjoxp/H5JhPIKPWoyIWNG5E18GuHL/IOm0UZpOeHe1 sUUlRF+1J/by5AGgPdOY663sTssDNSvnWA3cGQR0aA3iTUpyyTkE0TZ677jjksdlLN2uolQNsum R04ZJM/s2xkAmOjm3EPk0LJwJE6bl5JX+guxwSMdyIYmmb3KT24plvw33kt6A
X-Gm-Gg: AeBDiesLlTzMQ37DfahKy9e0pvK7GQEwdGyQSEPdM6GZzbbBt+KGnatXDhA78HobIsS 2hwbHpaLhAYN8l5cLJj2sEQ4VFeqVIkUa/ABbKSkS+KBs16dG80c9I30FGlQ90YByDmWhs3dXIo 2RTbPWQddxXcoxGO2AkL1wMofWxjmDyANCTdfbHTKE4gSGtP7puj8IPkCPWdRDfCtmucKwBYMpF vCZf+cH//FiZck4pR+4xxfjKW7dgu7s2AiGUNscxptKm067SK8+v2r9ya6CoY6j+hxT6Mp2992J IAdyK1WDKB1LTVddCIjGH71Tszguct9+aNgj+w6Jjadg84KUvvugaeo=
X-Received: by 2002:a05:690c:6987:b0:797:a27b:864c with SMTP id 00721157ae682-7a4d5862f50mr257682537b3.38.1775737682619; Thu, 09 Apr 2026 05:28:02 -0700 (PDT)
MIME-Version: 1.0
References: <20260408194014.928705.qmail@cr.yp.to> <0c51eec9-4446-4cf6-b07a-4481c68d2216@tu-dresden.de> <MEAPR01MB3654DA28A8EE6229EF16B567EE582@MEAPR01MB3654.ausprd01.prod.outlook.com>
In-Reply-To: <MEAPR01MB3654DA28A8EE6229EF16B567EE582@MEAPR01MB3654.ausprd01.prod.outlook.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Thu, 09 Apr 2026 14:27:51 +0200
X-Gm-Features: AQROBzAPFn-0j4607rrllJmvNV4z0nQMIjVXVl-YppT20qve2ut1JM7Q49d7dbo
Message-ID: <CAMjbhoUjEGHg-ngop2sZGgXvUCPv3K8YzcW+ir195q+PvcBjPw@mail.gmail.com>
To: Peter Gutmann <pgut001=40cs.auckland.ac.nz@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c9993c064f0625ab"
Message-ID-Hash: 6CTQDB34JCZANYYB3GWGG6R7BRQQLBVM
X-Message-ID-Hash: 6CTQDB34JCZANYYB3GWGG6R7BRQQLBVM
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: RFCs on weakened crypto are not fixed by warnings
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BmnVk0aLdW5bbwB8lePpd2bvZEw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
4M is a steal for a WebPKI CA private key. On Thu, Apr 9, 2026 at 2:13 PM Peter Gutmann <pgut001= 40cs.auckland.ac.nz@dmarc.ietf.org> wrote: > Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> writes: > > >I am asking because to my knowledge, the formal (vs. cryptographic/ > >computational) analyses consider that all ECC keys are leaked on the > advent > >of CRQC and essentially model it as a switch to leak all ECC keys > > All ECC keys are leaked *eventually*. Like, by the heat death of the > universe. Virtually no-one ever gives any estimate of the time and effort > involved in recovering a key via physics experiment because doing so makes > things look kinda bad. One of the few figures we have is from the German > BSI > which estimates 100 days and EUR 4M in electricity to recover a single > 2048- > bit key on an imagined physics experiment. So a single quantum physics > experiment can recover just over three keys a year at a cost of over EUR > 12M. > > In 2017, 7 trillion keys were negotiated for web traffic alone (it's > probably > a lot higher now). So that leaves 6,999,999,999,997 keys unrecoverable, > and > that's ignoring the fact that the estimate was for the IFP, which is > irrelevant, not the DLP, which is the one of interest for IPsec, TLS, SSH, > WireGuard, etc. > > Peter. > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org >
- [TLS] RFCs on weakened crypto are not fixed by wa… D. J. Bernstein
- [TLS] Re: RFCs on weakened crypto are not fixed b… Viktor Dukhovni
- [TLS] Re: RFCs on weakened crypto are not fixed b… D. J. Bernstein
- [TLS] Re: RFCs on weakened crypto are not fixed b… Viktor Dukhovni
- [TLS] Re: RFCs on weakened crypto are not fixed b… Muhammad Usama Sardar
- [TLS] Re: RFCs on weakened crypto are not fixed b… Peter Gutmann
- [TLS] Re: RFCs on weakened crypto are not fixed b… Bas Westerbaan
- [TLS] Re: RFCs on weakened crypto are not fixed b… Peter Gutmann