[TLS] Re: WG Adoption Call for Use of SLH-DSA in TLS 1.3

[tirumal reddy <kondtir@gmail.com>]

Hi Mike,

Please review the revised security considerations section
https://github.com/tireddy2/slhdsa-tls1.3/blob/main/draft-reddy-tls-slhdsa.md
to address your comment.

Best Regards,
-Tiru

On Mon, 19 May 2025 at 11:58, tirumal reddy <kondtir@gmail.com> wrote:

> Including TLS WG mailing list.
>
> Thanks Mike for the feedback. The long-lived TLS connections will undergo periodic
> re-authentication to check the certificate validity. In a typical 3GPP
> deployment, the certificate will expire and be replaced with a new
> certificate with a new key pair well before the SLH-DSA signature limit is
> approached. For example, if a server certificate is valid for 1 year and each
> connection re-authenticates every 12 hours, this results in approximately 730
> signatures per client connection. Even when scaled to many clients, the total
> number of signatures generated over the lifetime of a single key remains vastly
> below the SLH-DSA signature limit
>
> It is an important security aspect to be discussed in the draft. I will
> raise PR to address it.
>
> Cheers,
> -Tiru
>
> On Sat, 17 May 2025 at 19:30, Mike Ounsworth <ounsworth+ietf@gmail.com>
> wrote:
>
>> (my messages are not making it to the list; hoping someone will reply-all
>> to get it on the record)
>>
>> @Martin, would you object to adoption less if there were fewer algorithms
>> being registered ... like 1 or 2?
>>
>> @Tiru, @JohnMattsson -- My objection to this draft in its current form is
>> that there is a lack of discussion about that 2^64 signature limit. I am
>> aware of the size of the number "2^64", and that this simply won't be
>> reached in a long-lived TLS connections, but once we allow SLH-DSA in TLS,
>> it's allowed, and Moore's Law scaling over the coming decades could make it
>> conceivable to see 2^64 handshakes on a single key, especially with massive
>> horizontal scaling and CSR key reuse across cert renewals. How do you solve
>> that? Do we require operators to roughly track the number of signatures
>> performed? How? So IMO this draft NEEDS a well-worded Security
>> Consideration about this limit and I want to see at least roughly what that
>> text looks like as part of adoption because to me SLH-DSA is appropriate
>> for TLS if and only if we can find something reasonable to say about this.
>>
>> On Sat, 17 May 2025 at 07:23, Salz, Rich <rsalz=
>> 40akamai.com@dmarc.ietf.org> wrote:
>>
>>> So far we’ve heard that 3GPP is considering using this (presumably for
>>> thinks like station-to-station, as it were), but they need a stable
>>> reference like an RFC. I’d say that “stable reference” is their problem. Do
>>> they consider the TLS registries a stable reference?
>>> _______________________________________________
>>> TLS mailing list -- tls@ietf.org
>>> To unsubscribe send an email to tls-leave@ietf.org
>>>
>>