Hi Douglas, Your general approach paves the way for improved forward security, as insurance against new attacks, a non-negligible risk (*). So, the TLS WG should advance it soon. Sorry, that I've not yet looked at the details, but I trust that your I-D is good.
Best regards, Dan PS (*) The non-negligible risk of new (or secret) attacks does not discount the existing protocols or past work of the TLS WG. The TLS WG priority has rightly been to address much greater risks (TCP unprotected by cryptography), etc., but can now build on that work to further improve security. A strawman counter-argument to "hybrid public-key": why not do the same thing for symmetric-key, i.e. the TLS record layer? Two reasons. One: the quantum computer risk more greatly affects public-key, while many of the PQC alternatives are not yet tested (as much as the symmetric-key options). Two: internally, typical symmetric-key cryptography already applies rounds of different types of operations, e.g. linear and non-linear, so symmetric-key is "hybrid" already (to a limited degree). About "hybrid" terminology > -----Original Message----- > From: TLS <tls-boun...@ietf.org> On Behalf Of Douglas Stebila > ... Though at > this point changing the word "hybrid" to "composite" would be a rather big > rewrite so I'll omit that unless there are very strong objections to the word > hybrid. On the "hybrid" terminology (i.e. which paint for the bike-shed), other names seem better, if less slick. There's "layered diverse cryptography", but that conflicts with the L in TLS. Also, "strongest-link" is quite clear. There's several other alternatives, but maybe not as good. PPS: off-topic rant (for TLS ): Consider that CFRG has a draft about "Hybrid PKE" (HPKE, *). This raises a question: what to call a hybrid of this hybrid (e.g. ECC+PQC) with that hybrid (e.g. KEM+DEM)? Hyper-hybrid? Although HPKE is not destined for TLS, consistent terminology for cryptography across WGs would be ideal. It could be confusing if each WG used different terminology for the same cryptographic methods, or in this case, the same terminology for different cryptographic methods. That said, coordination of a large open organization like IETF is difficult, and so is choosing clear terminology for complicated ideas of cryptography. ---------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
