[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-tls
Subject: Re: [TLS] Advancing draft-ietf-tls-hybrid-design
From: Dan Brown <danibrown () blackberry ! com>
Date: 2021-07-13 15:08:07
Message-ID: b3eb577d13714202ba9a2664ab1f3a88 () blackberry ! com
[Download RAW message or body]
Hi Douglas,
Your general approach paves the way for improved forward security, as
insurance against new attacks, a non-negligible risk (*). So, the TLS WG
should advance it soon. Sorry, that I've not yet looked at the details, but
I trust that your I-D is good.
Best regards,
Dan
PS
(*) The non-negligible risk of new (or secret) attacks does not discount the
existing protocols or past work of the TLS WG. The TLS WG priority has
rightly been to address much greater risks (TCP unprotected by
cryptography), etc., but can now build on that work to further improve
security.
A strawman counter-argument to "hybrid public-key": why not do the same
thing for symmetric-key, i.e. the TLS record layer? Two reasons. One: the
quantum computer risk more greatly affects public-key, while many of the PQC
alternatives are not yet tested (as much as the symmetric-key options).
Two: internally, typical symmetric-key cryptography already applies rounds
of different types of operations, e.g. linear and non-linear, so
symmetric-key is "hybrid" already (to a limited degree).
About "hybrid" terminology
> -----Original Message-----
> From: TLS <tls-bounces@ietf.org> On Behalf Of Douglas Stebila
> ... Though at
> this point changing the word "hybrid" to "composite" would be a rather big
> rewrite so I'll omit that unless there are very strong objections to the
word
> hybrid.
On the "hybrid" terminology (i.e. which paint for the bike-shed), other
names seem better, if less slick.
There's "layered diverse cryptography", but that conflicts with the L in
TLS. Also, "strongest-link" is quite clear. There's several other
alternatives, but maybe not as good.
PPS: off-topic rant (for TLS ):
Consider that CFRG has a draft about "Hybrid PKE" (HPKE, *). This raises a
question: what to call a hybrid of this hybrid (e.g. ECC+PQC) with that
hybrid (e.g. KEM+DEM)? Hyper-hybrid?
Although HPKE is not destined for TLS, consistent terminology for
cryptography across WGs would be ideal. It could be confusing if each WG
used different terminology for the same cryptographic methods, or in this
case, the same terminology for different cryptographic methods. That said,
coordination of a large open organization like IETF is difficult, and so is
choosing clear terminology for complicated ideas of cryptography.
----------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, \
privileged material (including material protected by the solicitor-client or other \
applicable privileges), or constitute non-public information. Any use of this \
information by anyone other than the intended recipient is prohibited. If you have \
received this transmission in error, please immediately reply to the sender and \
delete this information from your system. Use, dissemination, distribution, or \
reproduction of this transmission by unintended recipients is not authorized and may \
be unlawful.
["smime.p7s" (application/pkcs7-signature)]
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
--===============7528730736391349821==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic