Hi all, We have submitted a new individual draft for WG consideration:
Title: Hybrid Post-Quantum and Traditional Authentication for IKEv2 Draft: draft-reddy-ipsecme-pqt-hybrid-auth-00 URL: https://datatracker.ietf.org/doc/draft-reddy-ipsecme-pqt-hybrid-auth/ This document defines a hybrid PKI authentication mechanism for IKEv2 using composite certificates, combining ML-DSA (post-quantum) with traditional signature algorithms such as ECDSA. The goal is to ensure authentication remains secure as long as at least one component algorithm is unbroken, providing a robust migration path during the transition to post-quantum cryptography. The draft complements draft-ietf-ipsecme-ikev2-pqc-auth, which covers PQC-only authentication. This document extends that work to support hybrid assurance using composite certificates as defined in draft-ietf-lamps-pq-composite-sigs. Notably, this mechanism does not require any changes to the IKEv2 base protocol, it reuses the existing AUTH payload format defined in RFC 7427 and the SUPPORTED_AUTH_METHODS notification from RFC 9593. Comments and suggestions are welcome. Best regards, -Tiru & Scott -----Original Message----- From: [email protected] <[email protected]> Sent: Tuesday, April 14, 2026 10:50 AM To: K Tirumaleswar Reddy (Nokia) <[email protected]>; Scott Fluhrer <[email protected]>; K Tirumaleswar Reddy (Nokia) < [email protected]> Subject: New Version Notification for draft-reddy-ipsecme-pqt-hybrid-auth-00.txt CAUTION: This is an external email. Please be very careful when clicking links or opening attachments. See the URL nok.it/ext for additional information. A new version of Internet-Draft draft-reddy-ipsecme-pqt-hybrid-auth-00.txt has been successfully submitted by Tirumaleswar Reddy and posted to the IETF repository. Name: draft-reddy-ipsecme-pqt-hybrid-auth Revision: 00 Title: Hybrid Post-Quantum and Traditional Authentication for IKEv2 Date: 2026-04-14 Group: Individual Submission Pages: 10 URL: https://www.ietf.org/archive/id/draft-reddy-ipsecme-pqt-hybrid-auth-00.txt Status: https://datatracker.ietf.org/doc/draft-reddy-ipsecme-pqt-hybrid-auth/ HTML: https://www.ietf.org/archive/id/draft-reddy-ipsecme-pqt-hybrid-auth-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-reddy-ipsecme-pqt-hybrid-auth Abstract: A Cryptographically Relevant Quantum Computer (CRQC) can break traditional public-key algorithms (e.g., RSA, ECDSA), which are typically used for authentication in IKEv2. Combining the post- quantum ML-DSA signature algorithm with a traditional signature algorithm provides protection against potential weaknesses or implementation flaws in ML-DSA. This draft defines a hybrid PKI authentication method for IKEv2 using composite certificates that ensures authentication remains secure as long as at least one of the component signature algorithms remains unbroken. The IETF Secretariat
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
