Re: [TLS] I-D: TLS += Kerberos (provides Quantum Relief for DH)
Rick van Rein <rick@openfortress.nl> Wed, 26 February 2020 09:41 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 589A23A119C for <tls@ietfa.amsl.com>; Wed, 26 Feb 2020 01:41:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5LmfJoi7o06x for <tls@ietfa.amsl.com>; Wed, 26 Feb 2020 01:41:19 -0800 (PST)
Received: from lb2-smtp-cloud8.xs4all.net (lb2-smtp-cloud8.xs4all.net [194.109.24.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D8A03A1199 for <tls@ietf.org>; Wed, 26 Feb 2020 01:41:18 -0800 (PST)
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp-cloud8.xs4all.net with ESMTP id 6tBqjHRYVPKvK6tBrjs3S0; Wed, 26 Feb 2020 10:41:16 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1582710065; h=message-id : date : from : mime-version : to : cc : subject : references : in-reply-to : content-type : content-transfer-encoding : date : from : subject; bh=Lh/XYtu6FrMwjZTqcYlUJwAgZCBf35A0trERzLUYFPQ=; b=aVQt983uOIz3LCgiaEqVeKMbx9RQgcfHR3aVv5rDkMXZgtDQvdbyBC06 o4qzytPg6jiCxmzthTiXGNy07cMsEV5SCCjUiD6z7l5jEIWlwQkhcVgHxU pbhJ29sf3B2NCbMuL9vDGpg6gTfvb34ihi/7Vw0gqthLgJ3JrTBGxw9lE=
Received: by fame.vanrein.org (Postfix, from userid 1006) id 972F02689A; Wed, 26 Feb 2020 09:40:47 +0000 (UTC)
X-Original-To: tls@ietf.org
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id B2B9026899; Wed, 26 Feb 2020 09:40:46 +0000 (UTC)
Message-ID: <5E563D1C.9010209@openfortress.nl>
Date: Wed, 26 Feb 2020 10:40:44 +0100
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
CC: TLS WG <tls@ietf.org>, "Tom Vrancken (ARPA2)" <tom.vrancken@arpa2.org>
References: <5E54CDA0.8070209@openfortress.nl> <20200225191519.GH18021@localhost>
In-Reply-To: <20200225191519.GH18021@localhost>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4wfDmAmmNx7wyl6qDGor5kJX4zvxq/KJOiGlkcfd0EPRbFOg8V37MIrldPwx/gvbHtD1ik3HCvb/7RyjxLxZcY+VFQX/aUYRsQ9FR6d/NHCKl5vXTLovgf g1alShcLAFGL0nMFRAFMc+dUPQJJifyViP1L78S17rMeivrM+NjiXCWr
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_VxzL1NPnUZ_z-LndtQ5HtOLGoQ>
Subject: Re: [TLS] I-D: TLS += Kerberos (provides Quantum Relief for DH)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 09:41:22 -0000
Hello Nico, > I don't believe that using Kerberos helps on the _entropy_ side as much > as on the PQ side. Ah; I meant to (be terse and) say that it adds an independent source of entropy that leaves no traces in the TLS flow subject to, indeed, Quantum Computer cracking. > Now, the biggest problem with Kerberos is that with manually-keyed > cross-realm trusts doesn't scale to Internet scale. But there's a way > to fix that too: use PQ PK with PKINIT as a form of "PKCROSS", and now > Kerberos can function as a way of amortizing PQ PK costs. Indeed :- though I'd have mentioned KXOVER or Kerberos Realm Crossover, https://gitlab.com/arpa2/kxover This is founded on DNSSEC, DANE and TLS. Thanks, -Rick
- [TLS] I-D: TLS += Kerberos (provides Quantum Reli… Rick van Rein
- Re: [TLS] I-D: TLS += Kerberos (provides Quantum … Salz, Rich
- Re: [TLS] I-D: TLS += Kerberos (provides Quantum … Nico Williams
- Re: [TLS] I-D: TLS += Kerberos (provides Quantum … Rick van Rein
- Re: [TLS] I-D: TLS += Kerberos (provides Quantum … Salz, Rich
- Re: [TLS] I-D: TLS += Kerberos (provides Quantum … Rick van Rein