Tirumal Reddy wrote: > SLH-DSA is not proposed for the end-entity certificates, it is preferred > for CA certificates (please see the 3rd paragraph in > https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html#section-2)
Yes, except the introduction says: "This memo specifies how SLH-DSA can be negotiated for authentication in TLS 1.3 via the 'signature_algorithms' and 'signature_algorithms_cert' extensions." which certainly implies end-entity certificates with SLH-DSA public keys. I realise that a single SignatureScheme registry is used for both extensions, so if you are not proposing SLH-DSA end-entity certificates then you need to be more explicit that it is not recommended for use in signature_algorithms. Peter From: tirumal reddy <[email protected]> Sent: 04 November 2024 07:16 To: Peter C <[email protected]> Cc: IETF TLS <[email protected]> Subject: Re: [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt Hi Peter, Please see inline On Sun, 3 Nov 2024 at 22:17, Peter C <[email protected]<mailto:[email protected]>> wrote: Tiru, Is SLH-DSA considered a practical option for TLS end-entity certificates? Under realistic network conditions, TLS handshakes with full SLH-DSA certificate chains seem to be about 5-10 times slower than traditional certificate chains and, in some cases, can take on the order of seconds. See, for example, the results in https://eprint.iacr.org/2020/071, https://eprint.iacr.org/2021/1447, https://mediatum.ub.tum.de/1728103 and https://thomwiggers.nl/post/tls-measurements/. I agree that there's an argument for using SLH-DSA in root certificates, but I'm surprised it's being proposed for the full chain. SLH-DSA is not proposed for the end-entity certificates, it is preferred for CA certificates (please see the 3rd paragraph in https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html#section-2) -Tiru Peter From: Russ Housley <[email protected]<mailto:[email protected]>> Sent: 03 November 2024 11:13 To: tirumal reddy <[email protected]<mailto:[email protected]>> Cc: IETF TLS <[email protected]<mailto:[email protected]>> Subject: [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt Thanks for doing this work. I hope the TLS WG will promptly adopt it. Russ On Nov 2, 2024, at 8:15 PM, tirumal reddy <[email protected]<mailto:[email protected]>> wrote: Hi all, This draft https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/ specifies how the PQC signature scheme SLH-DSA can be used for authentication in TLS 1.3. Comments and suggestions are welcome. Regards, -Tiru ---------- Forwarded message --------- From: <[email protected]<mailto:[email protected]>> Date: Sun, 3 Nov 2024 at 05:39 Subject: New Version Notification for draft-tls-reddy-slhdsa-00.txt To: Tirumaleswar Reddy.K <[email protected]<mailto:[email protected]>>, John Gray <[email protected]<mailto:[email protected]>>, Scott Fluhrer <[email protected]<mailto:[email protected]>>, Timothy Hollebeek <[email protected]<mailto:[email protected]>> A new version of Internet-Draft draft-tls-reddy-slhdsa-00.txt has been successfully submitted by Tirumaleswar Reddy and posted to the IETF repository. Name: draft-tls-reddy-slhdsa Revision: 00 Title: Use of SLH-DSA in TLS 1.3 Date: 2024-11-02 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.txt Status: https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/ HTML: https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-tls-reddy-slhdsa Abstract: This memo specifies how the post-quantum signature scheme SLH-DSA [FIPS205] is used for authentication in TLS 1.3.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
