On Monday, 20 October 2025 16:11:30 CEST, Eric Rescorla wrote:
On Mon, Oct 20, 2025 at 7:03 AM Alicja Kario <[email protected]> wrote:
On Monday, 20 October 2025 15:45:13 CEST, Eric Rescorla wrote: ...
Now, going back to the migration. Yes, the attacks will be expensive at
the
beginning, but I think what we should aim for is NOT to repeat the
situation
with SHA-1, where the web was dragging its feet for like 10 years before
SHA-1
was properly distrusted.
I agree that we should try not to repeat that. The question is what the
best
way to do that is.
I think that providing easy way to allow people to drag their feet on this
won't improve the situation...
I don't think that that's what this proposal does.
it lessens the pressure to deprecate old algorithms ("because the high
value targets are protected, we don't have to care about the smaller ones
as much")
Basically, I think we should aim for a
situation
where all major TLS clients and libraries simply don't advertise classical
crypto signatures as an option by default, in 10 years or so.
And so your preference is that in the intervening period, there's no way
for servers to avoid exposure to CRQC-based attacks on authentication?
that's client policy, what kind of attacks it is willing to be subject to
or
not...
--
Regards,
Alicja Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
