I support adoption of the draft.
Given a scenario as described in the applicability statement, an SLH-DSA
authenticated channel would be the preferred solution from BSI's viewpoint.
I would also be willing to review, and be in favor of cutting down the
number of codepoints following a plausible rationale.
Best, Stavros
On 7/28/25 17:12, tirumal reddy wrote:
On Mon, 28 Jul 2025 at 19:10, Peter C
<Peter.C=40ncsc.gov...@dmarc.ietf.org> wrote:
I don't support adopting the draft at the moment.
A stronger applicability statement and reducing the number of
parameter sets would be steps in the right direction, but I'm a
"not yet" because the motivating example seems to be DTLS. Unlike
TLS, I'm not aware of any experiments using SLH-DSA in DTLS and I
think there are still open questions about amplification attacks
(https://eprint.iacr.org/2023/266) which are potentially much
worse with SLH-DSA.
The draft has been updated to include an Applicability section, please
seehttps://github.com/tireddy2/slhdsa-tls1.3/blob/main/draft-reddy-tls-slhdsa.md.
While the example refers to DTLS, it specifically targets DTLS-over-SCTP,
which is a reliable transport and therefore does not face the amplification
issues with DTLS over UDP. The draft does not use the “pre-hash” variants of
SLH-DSA. We are open to feedback from the WG, including suggestions for
reducing the number of parameter sets.
We look forward to further discussion on progressing this work.
Cheers,
-Tiru
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
