From draft-tls-reddy-slhdsa-00 > SLH-DSA can be preferred for CA certificates, making it ideal for long-term > security as a trust anchor.
I think the standardized SLH-DSA parameters (designed for 2^64 signatures) still make the ICA cert unnecessarily large. If there is an SLH-DSA argument to be made for Root Certs in TLS (I am not convinced), then I suggest it to be with just the slimmer parameters for 2^10 sigs in https://eprint.iacr.org/2024/018.pdf . Note that NIST has committed to standardizing slimmer SLH-DSA params sometime in the future. From: tirumal reddy <[email protected]> Sent: Monday, November 4, 2024 2:16 AM To: Peter C <[email protected]> Cc: IETF TLS <[email protected]> Subject: [EXTERNAL] [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Hi Peter, Please see inline On Sun, 3 Nov 2024 at 22:17, Peter C <[email protected]<mailto:[email protected]>> wrote: Tiru, Is SLH-DSA considered a practical option for TLS end-entity certificates? Under realistic network conditions, TLS handshakes with full SLH-DSA certificate chains seem to be about 5-10 times slower than traditional certificate chains and, in some cases, can take on the order of seconds. See, for example, the results in https://eprint.iacr.org/2020/071, https://eprint.iacr.org/2021/1447, https://mediatum.ub.tum.de/1728103 and https://thomwiggers.nl/post/tls-measurements/. I agree that there’s an argument for using SLH-DSA in root certificates, but I’m surprised it’s being proposed for the full chain. SLH-DSA is not proposed for the end-entity certificates, it is preferred for CA certificates (please see the 3rd paragraph in https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html#section-2) -Tiru Peter From: Russ Housley <[email protected]<mailto:[email protected]>> Sent: 03 November 2024 11:13 To: tirumal reddy <[email protected]<mailto:[email protected]>> Cc: IETF TLS <[email protected]<mailto:[email protected]>> Subject: [TLS] Re: New Version Notification for draft-tls-reddy-slhdsa-00.txt Thanks for doing this work. I hope the TLS WG will promptly adopt it. Russ On Nov 2, 2024, at 8:15 PM, tirumal reddy <[email protected]<mailto:[email protected]>> wrote: Hi all, This draft https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/ specifies how the PQC signature scheme SLH-DSA can be used for authentication in TLS 1.3. Comments and suggestions are welcome. Regards, -Tiru ---------- Forwarded message --------- From: <[email protected]<mailto:[email protected]>> Date: Sun, 3 Nov 2024 at 05:39 Subject: New Version Notification for draft-tls-reddy-slhdsa-00.txt To: Tirumaleswar Reddy.K <[email protected]<mailto:[email protected]>>, John Gray <[email protected]<mailto:[email protected]>>, Scott Fluhrer <[email protected]<mailto:[email protected]>>, Timothy Hollebeek <[email protected]<mailto:[email protected]>> A new version of Internet-Draft draft-tls-reddy-slhdsa-00.txt has been successfully submitted by Tirumaleswar Reddy and posted to the IETF repository. Name: draft-tls-reddy-slhdsa Revision: 00 Title: Use of SLH-DSA in TLS 1.3 Date: 2024-11-02 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.txt Status: https://datatracker.ietf.org/doc/draft-tls-reddy-slhdsa/ HTML: https://www.ietf.org/archive/id/draft-tls-reddy-slhdsa-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-tls-reddy-slhdsa Abstract: This memo specifies how the post-quantum signature scheme SLH-DSA [FIPS205] is used for authentication in TLS 1.3.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
