IETF Logo Mail Archive

[TLS] Re: WG Adoption Call for Use of SLH-DSA in TLS 1.3

Watson Ladd <watsonbladd@gmail.com> Tue, 27 May 2025 18:27 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8E2022D76CA6 for <tls@mail2.ietf.org>; Tue, 27 May 2025 11:27:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsseLP6QV41b for <tls@mail2.ietf.org>; Tue, 27 May 2025 11:27:30 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3BCC82D76C8C for <tls@ietf.org>; Tue, 27 May 2025 11:27:30 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-3a361b8a66cso2466870f8f.2 for <tls@ietf.org>; Tue, 27 May 2025 11:27:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1748370449; x=1748975249; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=GAe463rNxO8nL+fQbSTqbBX4HZQabtfXBJsFKubOiMI=; b=OF/uv968zRqALr9nEcbZjGoA8lKhC5Rsus/KiLyHTqYRimQcyhRtBRLgwLobfp1Bfg POVdo/ttZZuTbkB5rA5daPr+DjBoOfOw1xiQeM6Wo64jMoXxF6qzSzYSslKfR8qJi2yF tOL4MP5+J/yd66eazCkwY3R0J1mpJboDapTmuCADqoLZK645Q46FFF2URq3Egrx905QA aZvOtMIAd3Rx8Fm6mWbjol6f6sXA1vCij9SjMRprEQ6UUubz1XSMIfqZohnW7woc2iRm 93ypod1nR0uElzYov1c97J0vJeZaZFQ6uEHYf+5kdbx+YQeExpqnkPwh26YOikuKkwDc ec1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748370449; x=1748975249; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GAe463rNxO8nL+fQbSTqbBX4HZQabtfXBJsFKubOiMI=; b=v6boCbe8FNT1AMe3ztFnZieGsnzbOitDkAGJOxox+syj9an2Xi+nfegkXHp2NBjbqQ eEJ/xYfjEQdJuLkKdtrTrAWoQt9ESnrDVWMyhyTmJGAZBQHJOyehC36Sy8/SPfTwFeOr 9yBfG+pDdw1+CFOlqzMknqt9KVx5CwipUe/FHPM+k6zl/8wh+M9qqGu8yPjMaQlSQasf 4TZVcBgSSyt1sS40b3s8LEPciYwtrWYW0PZBv6xjqLs+qRl0rPZKyQY+pTFpPmB5q1/c d2KA9eLjUvdnM566HATZPbep/Peiz647rMTUnmm1FS8QW02PRRBI9ahoa26VgbTsaS88 4l9g==
X-Forwarded-Encrypted: i=1; AJvYcCV5VjE2Jg5hEl0jwwJ9QulAIat+rf9rW1ZbTXlWfPYXbhlAadqQc2Nmp08kqC64CZy8fGk=@ietf.org
X-Gm-Message-State: AOJu0Yyhdjx4p0snA/OBsh6eveEL3QgfmLGW0sfAjNyFXFkovKciV/4k XbeZ6nZpzbvfmezqpVAFCq0+ZmPsuwGlmWy13GzQULJxxa1RFYmlEO6ZWV74mHvpvQl4BKF+TF4 G1nl9NVQ/xwRcBQvw0TrzLJNG4i16888=
X-Gm-Gg: ASbGncuYA/8jFvUTEY5+R3gEmnjYTbpXpbw3eoijZvJs8kVvqmN1jse+r2HIGUza6b9 u7iEdkRxYTkHrXsMfIEraxr/LFHtpRE2pedEhgdIRQ1JEJMxabFKxu7qDrkr/xoxEfmidcMDYL9 VBCayRmfD3cjCjgNgUNzPzZzh6/aTxTPwT0JdAAyCzcIcv4tm5a6iLQiFiy9EpkA4pVw==
X-Google-Smtp-Source: AGHT+IG0bZkNgslhsY+Egk1CJzqXBYxNm/OaJstBkzUoomjqNahXMcP00gqjEFXRjpADqBDGyMLoqlWQdIfRUF7QOHQ=
X-Received: by 2002:a05:6000:2212:b0:3a4:dcfb:2bde with SMTP id ffacd0b85a97d-3a4dcfb2dd1mr6293802f8f.53.1748370448796; Tue, 27 May 2025 11:27:28 -0700 (PDT)
MIME-Version: 1.0
References: <FAA80303-6B8C-43C8-A4F3-7CBFE708EE6E@sn3rd.com> <b6b8ab20-ef35-4c26-8f9b-bf6dba388de5@betaapp.fastmail.com> <IA1PR17MB64213D1467BDB3A829BE347CCD92A@IA1PR17MB6421.namprd17.prod.outlook.com> <CAKZgXHrjQzwTCM7t7AFL4KVPkFCVN6hgDtti6ZgCR-w6yn6JHg@mail.gmail.com> <CAFpG3gcbaQ9qACC8ih7cnS146F9oShc9J2JVPixAPTrRbEVFLQ@mail.gmail.com> <CACsn0cmRtjxUYbOjtUvGndX5bE3DM5B7uU==7iim_EzDHzzcqw@mail.gmail.com> <CAFpG3gedbNLWdeUrwwir0t0g2UrgJNx603oGT8-RsjA24FMAqA@mail.gmail.com>
In-Reply-To: <CAFpG3gedbNLWdeUrwwir0t0g2UrgJNx603oGT8-RsjA24FMAqA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 27 May 2025 11:27:15 -0700
X-Gm-Features: AX0GCFvvg9_rBfbB90G3Edu5T0x77IE9rHdYh76X1f5SvWBjbkigv01hHgGMUTQ
Message-ID: <CACsn0ck67cLf7iprqWi94OM5UdxRQyxoKok34RKG-SYReC05iw@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: ZDFLS26PP5KSDEOIPQSK5UW5CXDBX7L3
X-Message-ID-Hash: ZDFLS26PP5KSDEOIPQSK5UW5CXDBX7L3
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Adoption Call for Use of SLH-DSA in TLS 1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZcfhD2LEEwzT_hTNx0cPBt3ckaw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Sun, May 25, 2025 at 10:55 PM tirumal reddy <kondtir@gmail.com> wrote:
>
> On Wed, 21 May 2025 at 18:14, Watson Ladd <watsonbladd@gmail.com> wrote:
>>
>> On Mon, May 19, 2025 at 2:30 AM tirumal reddy <kondtir@gmail.com> wrote:
>> >
>> > Including TLS WG mailing list.
>> >
>> > Thanks Mike for the feedback. The long-lived TLS connections will undergo periodic re-authentication to check the certificate validity. In a typical 3GPP deployment, the certificate will expire and be replaced with a new certificate with a new key pair well before the SLH-DSA signature limit is approached. For example, if a server certificate is valid for 1 year and each connection re-authenticates every 12 hours, this results in approximately 730 signatures per client connection. Even when scaled to many clients, the total number of signatures generated over the lifetime of a single key remains vastly below the SLH-DSA signature limit
>> >
>> > It is an important security aspect to be discussed in the draft. I will raise PR to address it.
>>
>> What's the actual assumption about the authenticity of the data on
>> that connection?
>>
>>
>> This obviously is dependant on some cryptomania, even if the handshake
>> authentication is in minicrypt, because we don't sign data going over
>> the connection in TLS. So what's the actual gain from SLH-DSA?
>
>
> Mike was referring to the constraint that SLH-DSA imposes a limit of 2⁶⁴ signatures per key. I responded that the draft will address how deployments can remain well below this limit by issuing new certificates with new key pairs before the threshold is reached. The limitation relates specifically to the number of times a key is used to produce signatures in the CertificateVerify message during the TLS handshake and post-handshake authentication.

And I'm taking about assertions that SLH-DSA improves authenticity in
TLS connections for the *data carried over the connection*. It
doesn't.

>
> -Tiru
>
>>
>> >
>> > Cheers,
>> > -Tiru
>> >
>> > On Sat, 17 May 2025 at 19:30, Mike Ounsworth <ounsworth+ietf@gmail.com> wrote:
>> >>
>> >> (my messages are not making it to the list; hoping someone will reply-all to get it on the record)
>> >>
>> >> @Martin, would you object to adoption less if there were fewer algorithms being registered ... like 1 or 2?
>> >>
>> >> @Tiru, @JohnMattsson -- My objection to this draft in its current form is that there is a lack of discussion about that 2^64 signature limit. I am aware of the size of the number "2^64", and that this simply won't be reached in a long-lived TLS connections, but once we allow SLH-DSA in TLS, it's allowed, and Moore's Law scaling over the coming decades could make it conceivable to see 2^64 handshakes on a single key, especially with massive horizontal scaling and CSR key reuse across cert renewals. How do you solve that? Do we require operators to roughly track the number of signatures performed? How? So IMO this draft NEEDS a well-worded Security Consideration about this limit and I want to see at least roughly what that text looks like as part of adoption because to me SLH-DSA is appropriate for TLS if and only if we can find something reasonable to say about this.
>> >>
>> >> On Sat, 17 May 2025 at 07:23, Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> wrote:
>> >>>
>> >>> So far we’ve heard that 3GPP is considering using this (presumably for thinks like station-to-station, as it were), but they need a stable reference like an RFC. I’d say that “stable reference” is their problem. Do they consider the TLS registries a stable reference?
>> >>>
>> >>> _______________________________________________
>> >>> TLS mailing list -- tls@ietf.org
>> >>> To unsubscribe send an email to tls-leave@ietf.org
>> >
>> > _______________________________________________
>> > TLS mailing list -- tls@ietf.org
>> > To unsubscribe send an email to tls-leave@ietf.org
>>
>>
>>
>> --
>> Astra mortemque praestare gradatim



-- 
Astra mortemque praestare gradatim

v2.38.3 | Report a Bug | By Email | System Status