Probably should have done this a while ago, but anyway ….
I have heard that there is at least one DTLS 1.3 implementation available. I
would like to either 1) add DTLS implementations to the GH wiki; see
https://github.com/tlswg/tlswg-wiki/blob/master/IMPLEMENTATIONS.md; or 2) add a
new DTLS
Why would TLS require triple AES?
If you’re worried that Grover’s attack reduces the strength of AES-256 to 128
bits, well, yes it does – unless we are extremely impatient. If the attacker
insists that the attack succeeds before, say, the Sun turns into a red giant,
running Grover’s on a
Russ,
Yeah the change looks right. The server is selecting based on what’s in the
ClientHello. Anybody else see it differently?
spt
> On Aug 11, 2023, at 12:35, Russ Housley wrote:
>
> I believe thatthis errata should be verified.
>
>> On Aug 11, 2023, at 12:23 PM, RFC Errata System
>>
> On Jul 23, 2023, at 04:46, bingma2022=40skiff@dmarc.ietf.org wrote:
>
> https://www.ambit.inc/pdf/KyberDrive.pdf It says "Kyber-1024 is known to have
> 254 bits of classical security and 230 bits of quantum security (core-
> SVP hardness)." So the future version of TLS may require triple
https://www.ambit.inc/pdf/KyberDrive.pdf It says "Kyber-1024 is known to have
254 bits of classical security and 230 bits of quantum security (core-SVP
hardness)." So the future version of TLS may require triple 256-bit AES. Since
meet-in-the-middle attack, it requires three different
