On Fri, Oct 20, 2017 at 04:41:04PM +0000, Ackermann, Michael wrote: > So it sounds like we are in agreement that continuing to use TLS 1.2 > is not a viable long term alternative.
If one looks at long time horizon... TLS 1.2 will very probably remain viable until quantum computers come and demolish its security, unfortunately. Yes, quantum computers will demolish TLS 1.3 as it is currently, but adding PQC into 1.3 is much easier than adding it into 1.2. With TLS 1.3, the biggest problems is choosing the PQC algorithm, not integrating it, whereas TLS 1.2 requires would require very nontrivial integration work too. Oh, and come quantum computers, you will find that PQC schemes are much less well-behaved than the pre-quantum schemes in use. Thus many tricks that worked no longer work. So you would be better just adapting, because come QC, you don't have choice but to, potentially very quickly. Also, with regards to support, I would be much more concerned about software dropping support of, or regulations mandating disabling of, RSA key exchange than TLS 1.2 as whole. There are already TLS libraries that lack RSA key exchange, despite the fact it is MTI. Furthermore, that sort of thing is much more feasible on server side, as client support for ECDH (or at least DH-2k) is just about universal. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
