[TLS] Re: ML-DSA in TLS
Andrey Jivsov <crypto@brainhub.org> Tue, 19 November 2024 02:51 UTC
Return-Path: <brainhubr@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52DE8C14CF1A for <tls@ietfa.amsl.com>; Mon, 18 Nov 2024 18:51:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.651
X-Spam-Level:
X-Spam-Status: No, score=-1.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9aYBfqIoTvb for <tls@ietfa.amsl.com>; Mon, 18 Nov 2024 18:51:17 -0800 (PST)
Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5508C14F74E for <tls@ietf.org>; Mon, 18 Nov 2024 18:51:17 -0800 (PST)
Received: by mail-qk1-f176.google.com with SMTP id af79cd13be357-7b35b1eb7e3so352629185a.1 for <tls@ietf.org>; Mon, 18 Nov 2024 18:51:17 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731984676; x=1732589476; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2XFsLv9twaHqkDOoXw9y7XEt2uu0t+xwAEkKTT6pCLE=; b=D9DeuarUyv8p9LvGKeUEpk8XmRsgdXP/2NVv88EsJcrFxeCk2r0RR4D4OqZJ0WKjYv ckYG+xzkFChltJ5PrfFQiqoX4oDMyHIX+cz3iaPn8FA/3mankG6Ye0qkGJJUvcY5cmpb A7RurfQIfItu3wWBG3F8Jly5Ufip1urfEi6T8RXIOupXPmibX5ri3sukoQb7ye2aoLiH 2IRv2g7LJHdqA+6JFbttHYnKyucTAYvWQqI7uW3EdMiMAxCfj/phtpSs3pkXyJAlyKps Um4IOAmpQoJoHd+pvRqen92TbulQeNh8Q0CRoEJwdZIGhF9GVokRCHtjn2acdyiVeZyK TyVA==
X-Forwarded-Encrypted: i=1; AJvYcCWph9ViFqKstF5V8y50hJCqJeWX/+uBU4Rnw1ywxczrYT/3OpdIxj29J8NmzAimeh+xn8Y=@ietf.org
X-Gm-Message-State: AOJu0YxRjNFz1A1xAmlBBbowAJVsFcN781jCeTwwkfmfVDkE0aasQl1z 1IRsBRc4+KGxo7AAHWxQP2cMvF2tl98s4vG2gvGuhqqQ4qmdPaO9sukmuQ==
X-Google-Smtp-Source: AGHT+IEmMmKBWojJ2fu3utRyxzxnkvu11yv4P8M7bhs5e9qzk4KHwkTHL/FPkUeQhLVOXootV7XJEw==
X-Received: by 2002:a05:620a:4512:b0:7b1:4778:1564 with SMTP id af79cd13be357-7b37aa0dcb2mr335737485a.3.1731984676552; Mon, 18 Nov 2024 18:51:16 -0800 (PST)
Received: from mail-qt1-f174.google.com (mail-qt1-f174.google.com. [209.85.160.174]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7b37a85e9fcsm50784385a.50.2024.11.18.18.51.16 for <tls@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 18 Nov 2024 18:51:16 -0800 (PST)
Received: by mail-qt1-f174.google.com with SMTP id d75a77b69052e-460c0f9c13eso40528731cf.0 for <tls@ietf.org>; Mon, 18 Nov 2024 18:51:16 -0800 (PST)
X-Forwarded-Encrypted: i=1; AJvYcCX1atelSlHCscpsLnAcPVduMAIrFmprUPPKiHUgu7kHPuNwgUzefXVcyHhY9EktsUnekDo=@ietf.org
X-Received: by 2002:a05:622a:4c8c:b0:463:4be4:b03f with SMTP id d75a77b69052e-46392d6cbffmr34296141cf.11.1731984676091; Mon, 18 Nov 2024 18:51:16 -0800 (PST)
MIME-Version: 1.0
References: <20241116085703.138618.qmail@cr.yp.to> <9c978730-68d9-4a3f-9d3a-8e71a87ad719@redhat.com> <CAAWw3RhgZM68iRz3bhLdKZLsvBW0Bc_F1KMC5=ABY+o-LH-f7A@mail.gmail.com> <CAFR824wfVzrkx0w9=j6Hx-YUDwBkRAeCtFPdTtj80rFYSpO90w@mail.gmail.com>
In-Reply-To: <CAFR824wfVzrkx0w9=j6Hx-YUDwBkRAeCtFPdTtj80rFYSpO90w@mail.gmail.com>
From: Andrey Jivsov <crypto@brainhub.org>
Date: Mon, 18 Nov 2024 18:51:04 -0800
X-Gmail-Original-Message-ID: <CAAWw3RgF67hu4FuOBVYT6H5jVcJpOTvmXpkKZy4Wsuu5VDkFHA@mail.gmail.com>
Message-ID: <CAAWw3RgF67hu4FuOBVYT6H5jVcJpOTvmXpkKZy4Wsuu5VDkFHA@mail.gmail.com>
To: Deirdre Connolly <durumcrustulum@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000060068206273b1b31"
Message-ID-Hash: VIVRYWPXSL36VBYOF4CPKEZQ53GNJGXJ
X-Message-ID-Hash: VIVRYWPXSL36VBYOF4CPKEZQ53GNJGXJ
X-MailFrom: brainhubr@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "D. J. Bernstein" <djb@cr.yp.to>, "TLS@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: ML-DSA in TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/X6mj2s-n4dcjXSXA84c6H15D3dc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Mon, Nov 18, 2024 at 6:07 PM Deirdre Connolly <durumcrustulum@gmail.com> wrote: > The CNSA 2.0 FAQ states, "Do not use a hybrid or other non-standardized QR > solution on NSS mission systems except for those exceptions NSA > specifically recommends to meet standardization or interoperability > requirements", and, "because NSA is confident that CNSA 2.0 algorithms will > sufficiently protect NSS, it does not require a hybrid solution for > security purposes." They specifically cite IKEv2 as a hybrid exception. > > > https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF > > On Mon, Nov 18, 2024, 8:37 PM Andrey Jivsov <crypto@brainhub.org> wrote: > >> The reality is that we have very tight deadlines from CNSA2.0, with >>> customers actively asking for post-quantum support. For those for whom >>> those >>> requirements apply, use of ML-DSA is not only uncontroversial, but >>> mandatory. >> >> >> CNSA 2.0, as clarified in a recent FAQ, does not prohibit ML-DSA+ECC. >> >> It is the strongest quote from NSA, but I read it as not a clear prohibition of ECC, and the adjacent text elaborates that the main concern is complexity. The CNSA 2.0 reads: "Even though hybrid solutions may be allowed or required due to protocol standards, product availability, or interoperability requirements, CNSA 2.0 algorithms will become mandatory to select at the given date, and selecting CNSA 1.0 algorithms alone will no longer be approved." So, if TLS offers ML-DSA+ECC as the only option with ML-DSA, selecting it seems to meet CNSA 2.0, by focusing on the argument that this is the ML-DSA choice, and the ECC part does not count.
- [TLS] Re: ML-DSA in TLS John Mattsson
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Deirdre Connolly
- [TLS] Re: ML-DSA in TLS Bas Westerbaan
- [TLS] Re: ML-DSA in TLS Kris Kwiatkowski
- [TLS] Re: ML-DSA in TLS Bas Westerbaan
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Eric Rescorla
- [TLS] Re: ML-DSA in TLS Bas Westerbaan
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Deirdre Connolly
- [TLS] Re: ML-DSA in TLS Tim Hollebeek
- [TLS] Re: ML-DSA in TLS Ilari Liusvaara
- [TLS] Re: ML-DSA in TLS Stephen Farrell
- [TLS] Re: ML-DSA in TLS Ilari Liusvaara
- [TLS] Re: ML-DSA in TLS Deirdre Connolly
- [TLS] Re: ML-DSA in TLS Tim Hollebeek
- [TLS] Re: ML-DSA in TLS Eric Rescorla
- [TLS] Re: ML-DSA in TLS Bas Westerbaan
- [TLS] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
- [TLS] Re: ML-DSA in TLS Eric Rescorla
- [TLS] Re: ML-DSA in TLS Bas Westerbaan
- [TLS] Re: ML-DSA in TLS Watson Ladd
- [TLS] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
- [TLS] Re: ML-DSA in TLS Watson Ladd
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Bas Westerbaan
- [TLS] Re: ML-DSA in TLS John Mattsson
- [TLS] Re: ML-DSA in TLS Russ Housley
- [TLS] Re: ML-DSA in TLS Stephen Farrell
- [TLS] Re: ML-DSA in TLS Stephen Farrell
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Andrey Jivsov
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Watson Ladd
- [TLS] Re: ML-DSA in TLS Andrey Jivsov
- [TLS] Re: ML-DSA in TLS Tim Hollebeek
- [TLS] Re: [EXT] Re: ML-DSA in TLS Watson Ladd
- [TLS] Re: ML-DSA in TLS tirumal reddy
- [TLS] Re: ML-DSA in TLS Santosh Chokhani
- [TLS] Re: ML-DSA in TLS Watson Ladd
- [TLS] Re: ML-DSA in TLS John Mattsson
- [TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: ML-DSA in TLS Andrey Jivsov
- [TLS] Re: [EXT] Re: ML-DSA in TLS Andrey Jivsov
- [TLS] Re: ML-DSA in TLS Bas Westerbaan
- [TLS] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: [EXT] Re: ML-DSA in TLS tirumal reddy
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Stephen Farrell
- [TLS] Re: ML-DSA in TLS Stephen Farrell
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Andrey Jivsov
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Andrey Jivsov
- [TLS] Re: ML-DSA in TLS Andrey Jivsov
- [TLS] Re: ML-DSA in TLS Deirdre Connolly
- [TLS] Re: ML-DSA in TLS Eric Rescorla
- [TLS] Re: ML-DSA in TLS aebecke@uwe.nsa.gov
- [TLS] Re: ML-DSA in TLS Andrey Jivsov
- [TLS] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: ML-DSA in TLS Salz, Rich
- [TLS] Re: ML-DSA in TLS Salz, Rich
- [TLS] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
- [TLS] Re: ML-DSA in TLS aebecke@uwe.nsa.gov
- [TLS] Re: ML-DSA in TLS Tim Hollebeek
- [TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] ML-DSA in TLS Bas Westerbaan
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS aebecke@uwe.nsa.gov
- [TLS] Re: ML-DSA in TLS Deirdre Connolly
- [TLS] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: ML-DSA in TLS Tim Hollebeek
- [TLS] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
- [TLS] Re: ML-DSA in TLS John Mattsson
- [TLS] Re: [EXTERNAL] Re: ML-DSA in TLS Andrei Popov
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Ilari Liusvaara
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS Rebecca Guthrie
- [TLS] Re: ML-DSA in TLS John Mattsson
- [TLS] Re: ML-DSA in TLS Salz, Rich
- [TLS] Re: ML-DSA in TLS Bas Westerbaan
- [TLS] Re: [EXT] Re: ML-DSA in TLS Watson Ladd
- [TLS] Re: [EXT] Re: ML-DSA in TLS Andrey Jivsov
- [TLS] Re: [EXT] Re: ML-DSA in TLS Watson Ladd
- [TLS] Re: [EXT] Re: ML-DSA in TLS tirumal reddy
- [TLS] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: ML-DSA in TLS Deirdre Connolly
- [TLS] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
- [TLS] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: ML-DSA in TLS John Mattsson
- [TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: [EXT] Re: ML-DSA in TLS Ilari Liusvaara
- [TLS] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: [EXT] Re: ML-DSA in TLS John Mattsson
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: [EXT] Re: ML-DSA in TLS John Mattsson
- [TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein
- [TLS] Re: ML-DSA in TLS Alicja Kario
- [TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: ML-DSA in TLS Andrey Jivsov
- [TLS] Re: [EXT] Re: ML-DSA in TLS tirumal reddy
- [TLS] Re: [EXT] Re: ML-DSA in TLS tirumal reddy
- [TLS] Re: [EXT] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
- [TLS] Re: [EXT] Re: ML-DSA in TLS Scott Fluhrer (sfluhrer)
- [TLS] Re: [EXT] Re: ML-DSA in TLS John Mattsson
- [TLS] Re: [EXT] Re: ML-DSA in TLS Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [EXT] Re: ML-DSA in TLS D. J. Bernstein