[TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt

"Kampanakis, Panos" <kpanos@amazon.com> Mon, 04 November 2024 17:11 UTC

Return-Path: <prvs=0316c4cd6=kpanos@amazon.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BCB4C1D5C4E for <tls@ietfa.amsl.com>; Mon, 4 Nov 2024 09:11:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1c4KJHvpvLUS for <tls@ietfa.amsl.com>; Mon, 4 Nov 2024 09:11:14 -0800 (PST)
Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAEDBC1D5301 for <tls@ietf.org>; Mon, 4 Nov 2024 09:11:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1730740274; x=1762276274; h=from:to:cc:subject:date:message-id:mime-version; bh=N5gHs9MId9NDcQVZH+9QwydGEvQzkuP4HXpIZuKHj/E=; b=NgZmloLTuOrOeMtKOICqKqNQ8HaV65TwFLm/3Vy2C3UKe0MJIScNIOH4 jYn9U15kEGEIEVsxV6ljgAhcRli+W60gh3iSYTiwpnKowvEKGYRQoj/Sk AUemjLPwmTECh7elW8uUlelvNuLQepjbN3uOegF1UYaQO7HKEHbtj9Q3O Y=;
X-IronPort-AV: E=Sophos;i="6.11,257,1725321600"; d="scan'208,217,223";a="437089206"
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.2]) by smtp-border-fw-6001.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Nov 2024 17:11:11 +0000
Received: from EX19MTAUWB002.ant.amazon.com [10.0.38.20:54786] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.13.170:2525] with esmtp (Farcaster) id b3968d81-1bb0-487a-8403-1ac3e6795641; Mon, 4 Nov 2024 17:11:10 +0000 (UTC)
X-Farcaster-Flow-ID: b3968d81-1bb0-487a-8403-1ac3e6795641
Received: from EX19D001ANA002.ant.amazon.com (10.37.240.136) by EX19MTAUWB002.ant.amazon.com (10.250.64.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Mon, 4 Nov 2024 17:11:10 +0000
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX19D001ANA002.ant.amazon.com (10.37.240.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.35; Mon, 4 Nov 2024 17:11:09 +0000
Received: from EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055]) by EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055%5]) with mapi id 15.02.1258.035; Mon, 4 Nov 2024 17:11:09 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: tirumal reddy <kondtir@gmail.com>
Thread-Topic: [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt
Thread-Index: Adsu3Ijl8TVTc6KXTtGwolmqBaQmUQ==
Date: Mon, 04 Nov 2024 17:11:08 +0000
Message-ID: <622b2d78d2c6437fafd4cb6a959b074b@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.37.240.172]
Content-Type: multipart/alternative; boundary="_000_622b2d78d2c6437fafd4cb6a959b074bamazoncom_"
MIME-Version: 1.0
Message-ID-Hash: 3AAKU7RC6NWTI7NBJ76T3NZC2C24LBWD
X-Message-ID-Hash: 3AAKU7RC6NWTI7NBJ76T3NZC2C24LBWD
X-MailFrom: prvs=0316c4cd6=kpanos@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF TLS <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/diiEJUJz6g5qU9OXWOAO3REe8V0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

From draft-tls-reddy-slhdsa-00

>  SLH-DSA can be preferred for CA certificates, making it ideal for long-term security as a trust anchor.

I think the standardized SLH-DSA parameters (designed for 2^64 signatures) still make the ICA cert unnecessarily large.

If there is an SLH-DSA argument to be made for Root Certs in TLS (I am not convinced), then I suggest it to be with just the slimmer parameters for 2^10 sigs in https://eprint.iacr.org/2024/018.pdf . Note that NIST has committed to standardizing slimmer SLH-DSA params sometime in the future.


From: tirumal reddy <kondtir@gmail.com>
Sent: Monday, November 4, 2024 2:16 AM
To: Peter C <Peter.C@ncsc.gov.uk>
Cc: IETF TLS <tls@ietf.org>
Subject: [EXTERNAL] [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Hi Peter,

Please see inline

On Sun, 3 Nov 2024 at 22:17, Peter C <Peter.C@ncsc.gov.uk<mailto:Peter.C@ncsc.gov.uk>> wrote:
Tiru,

Is SLH-DSA considered a practical option for TLS end-entity certificates?

Under realistic network conditions, TLS handshakes with full SLH-DSA certificate chains seem to be about 5-10 times slower than traditional certificate chains and, in some cases, can take on the order of seconds.  See, for example, the results in https://eprint.iacr.org/2020/071, https://eprint.iacr.org/2021/1447, https://mediatum.ub.tum.de/1728103 and https://thomwiggers.nl/post/tls-measurements/.

I agree that there’s an argument for using SLH-DSA in root certificates, but I’m surprised it’s being proposed for the full chain.

SLH-DSA is not proposed for the end-entity certificates, it is preferred for CA certificates (please see the 3rd paragraph in https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html#section-2)

-Tiru


Peter

From: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Sent: 03 November 2024 11:13
To: tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>
Cc: IETF TLS <tls@ietf.org<mailto:tls@ietf.org>>
Subject: [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt

Thanks for doing this work.  I hope the TLS WG will promptly adopt it.

Russ

On Nov 2, 2024, at 8:15 PM, tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>> wrote:

Hi all,

This draft https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/ specifies how the PQC signature scheme SLH-DSA can be used for authentication in TLS 1.3.
Comments and suggestions are welcome.

Regards,
-Tiru
---------- Forwarded message ---------
From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Date: Sun, 3 Nov 2024 at 05:39
Subject: New Version Notification for draft-tls-reddy-slhdsa-00.txt
To: Tirumaleswar Reddy.K <kondtir@gmail.com<mailto:kondtir@gmail.com>>, John Gray <john.gray@entrust.com<mailto:john.gray@entrust.com>>, Scott Fluhrer <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>>, Timothy Hollebeek <tim.hollebeek@digicert.com<mailto:tim.hollebeek@digicert.com>>


A new version of Internet-Draft draft-tls-reddy-slhdsa-00.txt has been
successfully submitted by Tirumaleswar Reddy and posted to the
IETF repository.

Name:     draft-tls-reddy-slhdsa
Revision: 00
Title:    Use of SLH-DSA in TLS 1.3
Date:     2024-11-02
Group:    Individual Submission
Pages:    8
URL:      https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.txt
Status:   https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/
HTML:     https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-tls-reddy-slhdsa

Abstract:

   This memo specifies how the post-quantum signature scheme SLH-DSA
   [FIPS205] is used for authentication in TLS 1.3.