IETF Logo Mail Archive

[TLS] Re: ML-DSA in TLS

Alicja Kario <hkario@redhat.com> Fri, 25 October 2024 17:14 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82F73C13AE25 for <tls@ietfa.amsl.com>; Fri, 25 Oct 2024 10:14:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.252
X-Spam-Level:
X-Spam-Status: No, score=-2.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3xGel5f1MGsl for <tls@ietfa.amsl.com>; Fri, 25 Oct 2024 10:14:12 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A18EC14F600 for <tls@ietf.org>; Fri, 25 Oct 2024 10:14:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1729876450; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=phU0WS/XKU7r/bpYB7fljEG7Nq453mlgx53sDbgd6ps=; b=G1BiGIUbyZhi9qSZ2yrB6JNwfu71BLcLeWvEFEGbz8skciGzRBnAw8r4H4MmY+gCgO9+Oh n97Hardqr1/4vWg38wxZ3HKZK9Be78LzkZkzTVtPr3bkDoL3MlTFLDBG492CZWnuCRUn6T TVNvRRMFkYYxjP1qTTxUjxUVgqqzAzk=
Received: from mail-lf1-f70.google.com (mail-lf1-f70.google.com [209.85.167.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-138-jk06dkZ_OR6ophtiVu8Q1g-1; Fri, 25 Oct 2024 13:14:09 -0400
X-MC-Unique: jk06dkZ_OR6ophtiVu8Q1g-1
Received: by mail-lf1-f70.google.com with SMTP id 2adb3069b0e04-539ea3d778dso1778637e87.1 for <tls@ietf.org>; Fri, 25 Oct 2024 10:14:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729876448; x=1730481248; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=6fKeeocZj4UIZAsoQf9HNJ8PDUb8JNDsAuufmJVVlPs=; b=AHc/1Wpo6LoZ3mnbJKRwCeTC2KJf0GV468jCj8gpxruy/ThAQ359MMDgddR1n/B9+8 dIfv7izvDl7AYtNq+bD42D5n/lLuMpuxY8SjtVfeGvVrJ8pw6sDv+vGn87hhEw+vvGyd J91JQBImoBBoC9E4nc8nijGXwUus0L1/QJEn9Lx5gJpk24JNOIDjpNvvV5Bu8sVBHFUA FipZ67wHZeWefuF9byZDaQ2jx8GVk6pVOO+J/xe6+fyb6IiMyRb8D8cGC4MnuMCocTSl vvVIO7h0Gf2DQQuTFYhoWBEAR3Tc4Z8cQ/0cMTzqKV4UWk9kEGfvHWq/yTOXrml86ulc IGvA==
X-Forwarded-Encrypted: i=1; AJvYcCUpbN88rsaeHJdoTGCuFUCkU4TuMt6twQevV/7DddEZM10x6UgrBqIkVVduxmT0EXDDeaI=@ietf.org
X-Gm-Message-State: AOJu0YxgcwMPtEBHBs14DRVLUOZFW6GFeH0OkIDIYOZiVI/F9Ztb0JLi CuE1bQCws6RPc8l1hBOicoZ/5h28kKZ32Z6TqxsgxLDNeoFYFvnHZNsGyVOLyQ0PM0696Ufd62K 0NGb/fXLRP3/QjqN5Z3A5NkKkWfa3JNZC+YuGHhuX
X-Received: by 2002:a05:6512:3a82:b0:539:8b02:8f1d with SMTP id 2adb3069b0e04-53b1a3392bcmr5986010e87.30.1729876447771; Fri, 25 Oct 2024 10:14:07 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHQt5/TWvJN0gnFkFc6/h2hY4lDLZlJikO8VtltHAWmTzSl+HqYcDjo/VmhjF74Tn8VPZPW0Q==
X-Received: by 2002:a05:6512:3a82:b0:539:8b02:8f1d with SMTP id 2adb3069b0e04-53b1a3392bcmr5985992e87.30.1729876447296; Fri, 25 Oct 2024 10:14:07 -0700 (PDT)
Received: from localhost (nat-pool-brq-u.redhat.com. [213.175.37.12]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4318b56fbd1sm53885875e9.32.2024.10.25.10.14.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Oct 2024 10:14:07 -0700 (PDT)
From: Alicja Kario <hkario@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 25 Oct 2024 19:14:05 +0200
MIME-Version: 1.0
Message-ID: <73e52c46-e921-44a3-8b5d-30814b6d6abf@redhat.com>
In-Reply-To: <CABcZeBMBRgpHawmJStR-prVQWguo1TJPJpXVzQWzysS5RDtLhw@mail.gmail.com>
References: <CAMjbhoUFkL=UT0Pt2xjPLm998=j1ef+wdm0WO14_W7OJDJ-hOg@mail.gmail.com> <bcb2e444-7fc7-477d-b290-77adad4a1630@redhat.com> <GVXPR07MB9678B11440060A8A315ED39B894D2@GVXPR07MB9678.eurprd07.prod.outlook.com> <CABcZeBMAg=r8MfJsJsVLe=bkPwE2e88ETnvop=JjCeHbCdct_w@mail.gmail.com> <CAMjbhoXomCFmfuGO09Pqr-BOdksmgOmVc08-g6niqqvj1k1mdA@mail.gmail.com> <CABcZeBMBRgpHawmJStR-prVQWguo1TJPJpXVzQWzysS5RDtLhw@mail.gmail.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.14; xcb; Linux; Fedora release 39 (Thirty Nine)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: RX3G4N2H5GEUQDKJVNGDAVBLHRZPRH27
X-Message-ID-Hash: RX3G4N2H5GEUQDKJVNGDAVBLHRZPRH27
X-MailFrom: hkario@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: ML-DSA in TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GRKdpkEg1jEJoqMB0A2H5nkTAO4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Friday, 25 October 2024 16:31:17 CEST, Eric Rescorla wrote:
>
>
> On Thu, Oct 24, 2024 at 12:38 AM Bas Westerbaan <bas@cloudflare.com> wrote:
> Today for the WebPKI there is no security benefit to enabling 
> post-quantum certificates (in stark contrast with post-quantum 
> key agreement.) On the other hand, there is a big cost with 
> extra bytes on the wire. As it stands, we do not intend to 
> enable post-quantum certificates by default before the CRQC is 
> near. At that point, there is little value in hybrid 
> certificates. There is value in having post-quantum certificates 
> ready-to-go now (without flipping the switch.) And for that pure 
> ML-DSA makes more sense.
>
> Hi Bas,
>
> I'm not sure I agree with this analysis, but perhaps it depends on
> what you mean by "ready-to-go".
>
> I would think that the natural thing to do here is to get fairly
> widespread deployment of support for PQ certificates but then prefer
> non-PQ certificates. I.e.,
>
> 1. Clients would support both PQ and non-PQ certificates.
> 2. Servers would have both PQ and non-PQ certificates, but would
>    provide the non-PQ certificate if the client supported it.
>
> This would enable clients to decide that the risk from non-PQ was high
> (as you say "the CRQC is near") and disable non-PQ.  Note that it
> doesn't matter whether the server supports non-PQ as well, as the
> security benefit comes from the client refusing it [0]. Do we agree so
> far?
>
> In general, the client is exposed to the union of the risks of
> compromise of the signature algorithms it supports. Thus, in a world
> where the client supports: [ECDSA, ML-DSA], then compromise of either
> algorithm is an issue. By contrast, if the client supports [ECDSA,
> EC-DSA+ML-DSA], then compromise of ML-DSA alone is insufficient to
> result in an attack. This is of course the same logic that leads
> to hybrids for key establishment.
>
> An obvious response here is "if something goes wrong with ML-DSA,
> we'll just turn it off quickly". This is certainly true for browsers,
> but I'm less sure it's true for other systems. If you think that
> it takes a long time to disable algorithms, then it seems like
> that's an argument that hybrid signatures are safer.
>

disabling things is frequently available through user config, we went
through that recently with DSA, enabling things requires support in code
for those new features, that's much more involved

-- 
Regards,
Alicja (nee Hubert) Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

v2.29.0 | Report a Bug | By Email | System Status