On 07.04.26 00:39, Nico Williams wrote:
On Tue, Apr 07, 2026 at 12:31:08AM +0200, Muhammad Usama Sardar wrote:On 06.04.26 23:24, Nico Williams wrote:Their trade-offs might be different to ours. Perhas they think that security in-depth means you'll use TLS at the application layer, with hybrids, and so if you use PQ-only at the network layer, in the worst case scenario you're still protected by the use of hybrids at the application layer.Well, this double TLS is really shooting on the foot the only somewhat reasonable argument I've seen for non-hybrid so far: efficiency!We've seen this argument made before on this list. If you're double- encrypting, and each layer uses different algorithms...
Yes, I vaguely recall John mentioning this, but was that actually in hybrid vs. non-hybrid context?
My point was that if the overhead of adding ECDHE is considered unacceptable (apparently that's the argument for use of pure PQ), the overhead of creating two connections should be surely unacceptable. I would expect that for systems where you want defense-in-depth (e.g., NSS -- see below), you actually don't care about efficiency so much. The goal there is high security.
So how exactly would double-encryption work in this context? You establish pure PQ TLS at network layer -- that I understand. But can you share more insights about the application layer TLS? Like, how does it distinguish the control signals (TLS messages) of the /application layer TLS/ from the actual application traffic? Does the application layer TLS reuse some of the keys from the network layer TLS? What is the binding between the two?Are you aware of any complete specifications?
Where are the keys of both TLS stored actually? Is there a real case that the keys of one TLS (say network layer) will be leaked while the other one not? If the keys are all stored at the same place, adding even 10 layers of encryption is not helpful. So instead of doing double encryption, I believe one should actually do attested TLS in post-handshake attestation topology (draft-fossati-seat-expat), which provides a second root of trust, without the need to re-establish a connection.
IIUC NSA mandates double-encryption.
My understanding is that it is for high-stake systems -- known as National Security Systems (NSS). For non-NSS, it is not mandatory.
Best regards, -Usama
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
