Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

However, the difference is stated to be UncompressedPointRepresentation for P256 from TLS 1.3. AFACIT, that is 65 bytes (1 legacy_form byte, 32 bytes for x, 32 bytes for y). Right, one byte for the legacy_form is missing. Let me fix it.___ TLS

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

On Fri, May 19, 2023 at 06:57:09PM +0100, Kris Kwiatkowski wrote: > Hello, > > The codepoint for P-256+Kyber768 has been just assigned by IANA. The value > is 0x639A. > Thanks Rich for pointing to the request form. I get off-by-one for the sizes of key shares. The given size of client key share

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

Hello, The codepoint for P-256+Kyber768 has been just assigned by IANA. The value is 0x639A. Thanks Rich for pointing to the request form. Kind regards, Kris On 18/05/2023 22:00, Christopher Wood wrote: Thanks, Rich! On May 17, 2023, at 3:44 PM, Salz, Rich wrote:  * Can we get

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

Thanks, Rich!On May 17, 2023, at 3:44 PM, Salz, Rich wrote: Can we get another code point for P256+Kyber768?   Fill out the form at https://www.iana.org/form/protocol-assignment  Or send email to tls-reg-rev...@iana.org and copy iana-prot-pa...@iana.org  There is no requirement that

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

* Can we get another code point for P256+Kyber768? Fill out the form at https://www.iana.org/form/protocol-assignment Or send email to tls-reg-rev...@iana.org and copy iana-prot-pa...@iana.org There is no requirement that

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

Sorry, quick clarification - it’s Panos and myself who prepared, not just me. (Thanks Panos for your help!) > On 17 May 2023, at 19:11, Krzysztof Kwiatkowski wrote: > > Hi, > > Can we get another code point for P256+Kyber768? Following Bas’s draft, I’ve > prepared similar one: >

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

Hi, Can we get another code point for P256+Kyber768? Following Bas’s draft, I’ve prepared similar one: https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-kyber/ The goals of having those are: * Be able to experiment with flows in which FIPS-approved curves are used * Some HW based

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

Kyber768 Round 3 > combined with X25519? > > > > > > *From:* TLS *On Behalf Of * Bas Westerbaan > *Sent:* Wednesday, May 10, 2023 3:09 PM > *To:* Christopher Wood > *Cc:* tls@ietf.org > *Subject:* RE: [EXTERNAL][TLS] Consensus call on codepoint strategy for

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

: TLS on behalf of Scott Fluhrer (sfluhrer) Date: Thursday, 11 May 2023 at 16:23 To: Kampanakis, Panos , Bas Westerbaan , Christopher Wood Cc: tls@ietf.org Subject: Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design My opinion: since NIST has announced

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

rg > *Subject:* RE: [EXTERNAL][TLS] Consensus call on codepoint strategy for > draft-ietf-tls-hybrid-design > > > > *CAUTION*: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the conte

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

approved version…) From: TLS On Behalf Of Kampanakis, Panos Sent: Thursday, May 11, 2023 10:16 AM To: Bas Westerbaan ; Christopher Wood Cc: tls@ietf.org Subject: Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design Great! So to clarify, when Kyber gets ratified

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

, May 10, 2023 3:09 PM To: Christopher Wood Cc: tls@ietf.org Subject: RE: [EXTERNAL][TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

FYI IANA has added the following entry to the TLS Supported Groups registry: Value: 25497 Description: X25519Kyber768Draft00 DTLS-OK: Y Recommended: N Reference: [draft-tls-westerbaan-xyber768d00-02] Comment: Pre-standards version of Kyber768 Please see

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

It looks like we have consensus for this strategy. We’ll work to remove codepoints from draft-ietf-tls-hybrid-design and then get experimental codepoints allocated based on draft-tls-westerbaan-xyber768d00. Best, Chris, for the chairs > On Mar 28, 2023, at 9:49 PM, Christopher Wood wrote: >

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

On Saturday, 1 April 2023 03:50:04 CEST, Krzysztof Kwiatkowski wrote: I would pair secp384r1 with Kyber768 for completely different reasons: Kyber768 is what the team kyber recommends. Agreed. I don't think there are very good reasons for NIST curves here outside wanting CNSA1 compliance, and

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

That is correct - CNSA-2.0 prescribes the “NIST Kyber”, whatever changes this may include to the Kyber-1024, aka Kyber at NIST Sec Level V. One can speculate about what changes would be proposed during the public comments period, and which of them would be accepted. Regardless, until then we

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

On Sun, Apr 02, 2023 at 02:54:57AM +, Blumenthal, Uri - 0553 - MITLL wrote: > CNSA-1.0 allows ECC only over P-384, unlike it’s predecessor Suite B > that also permitted P-256. P-521 is not included either. See > https://media.defense.gov/2021/Sep/27/2002862527/-1/-1/0/CNSS%20WORKSHEET.PDF >

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

CNSA-1.0 allows ECC only over P-384, unlike it’s predecessor Suite B that also permitted P-256. P-521 is not included either. See https://media.defense.gov/2021/Sep/27/2002862527/-1/-1/0/CNSS%20WORKSHEET.PDF (page 1). CNSA-2.0 allows only Kyber-1024. Not -768. See

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

On Sat, Apr 01, 2023 at 02:12:14AM +, Kampanakis, Panos wrote: > Hi Bas, > > I prefer for the MTI to be P-256+Kyber768 for compliance reasons. Uh, I think this thing is too experimental to have any MTI. > It would be trivial for servers to add support for both identifiers > as they

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

On Sat, Apr 01, 2023 at 01:56:23AM +0200, Bas Westerbaan wrote: > > > > The draft draft-tls-westerbaan-xyber768d00-00 references > > draft-cfrg-schwabe-kyber-01, which has a number of annoying mistakes, > > since fixed in editor's copy. > > > > And then, the correct reference for X25519 is

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

> I would pair secp384r1 with Kyber768 for completely different reasons: > Kyber768 is what the team kyber recommends. Agreed. > I don't think there are very good reasons for NIST curves here outside > wanting CNSA1 compliance, and for that you need secp384r1 classical > part. And for that, I

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

> On 1 Apr 2023, at 09:04, Bas Westerbaan > wrote: > > What about specifying further preliminary key agreements in yet again a > separate draft? Agreed. I'll do that.___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

, March 31, 2023 8:04 PM To: Ilari Liusvaara Cc: TLS@ietf.org Subject: RE: [EXTERNAL][TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

Regarding additional key agreements. For the (public) web it would be best if we can agree on a default key agreement. If one half uses P-256+Kyber768 and the other X25519+Kyber768, then clients will either HRR half the time or need to send both. Neither are ideal. Obviously this point is moot

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

> > The draft draft-tls-westerbaan-xyber768d00-00 references > draft-cfrg-schwabe-kyber-01, which has a number of annoying mistakes, > since fixed in editor's copy. > > And then, the correct reference for X25519 is probably RFC7748 instead > of RFC8037... > > > Really quick and dirty way to fix

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

MITLL > > Sent: Tuesday, March 28, 2023 10:40 PM > > To: Krzysztof Kwiatkowski ; Christopher Wood > > > > Cc: TLS@ietf.org > > Subject: RE: [EXTERNAL][TLS] Consensus call on codepoint strategy for > > draft-ietf-tls-hybrid-design > > > > Can we add sec

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

On Wed, Mar 29, 2023 at 10:48:32AM +0900, Christopher Wood wrote: > As discussed during yesterday's meeting, we would like to assess > consensus for moving draft-ietf-tls-hybrid-design forward with the > following strategy for allocating codepoints we can use in > deployments. > > 1. Remove

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

i - 0553 - MITLL > Sent: Tuesday, March 28, 2023 10:40 PM > To: Krzysztof Kwiatkowski ; Christopher Wood > > Cc: TLS@ietf.org > Subject: RE: [EXTERNAL][TLS] Consensus call on codepoint strategy for > draft-ietf-tls-hybrid-design > > CAUTION: This email originated fro

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

I hope this moves forward. On Wed, 29 Mar 2023 at 05:50, Christopher Wood wrote: > > As discussed during yesterday's meeting, we would like to assess consensus > for moving draft-ietf-tls-hybrid-design forward with the following strategy > for allocating codepoints we can use in deployments. >

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

ich won’t be much worse than secp384r1_kyber1024 in performance or size. From: TLS On Behalf Of Blumenthal, Uri - 0553 - MITLL Sent: Tuesday, March 28, 2023 10:40 PM To: Krzysztof Kwiatkowski ; Christopher Wood Cc: TLS@ietf.org Subject: RE: [EXTERNAL][TLS] Consensus call on codepoint strat

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

+1 for NIST curve codepoints. From: TLS On Behalf Of Krzysztof Kwiatkowski Sent: Tuesday, March 28, 2023 10:00 PM To: Christopher Wood Cc: TLS@ietf.org Subject: RE: [EXTERNAL][TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design CAUTION: This email originated from

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

Can we add secp256r1_kyber768 option for those who prefer NIST curves? I support this. I would also like secp384r1_kyber1024 option, please. Thanks On 29 Mar 2023, at 10:48, Christopher Wood wrote: As discussed during yesterday's meeting, we would like to assess consensus for

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

> The intent of this proposal is to get us a codepoint that we can deploy today > without putting a "draft codepoint" in an eventual RFC. I support the proposal ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

+1 On Tue, Mar 28, 2023 at 10:15 PM Christopher Patton wrote: > I support this. Adding P256 + Kyber768 seems like a good idea. > > Chris P. > > On Wed, Mar 29, 2023 at 10:50 AM Christopher Wood > wrote: > >> As discussed during yesterday's meeting, we would like to assess >> consensus for

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

I support this. Adding P256 + Kyber768 seems like a good idea. Chris P. On Wed, Mar 29, 2023 at 10:50 AM Christopher Wood wrote: > As discussed during yesterday's meeting, we would like to assess consensus > for moving draft-ietf-tls-hybrid-design forward with the following strategy > for

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

I support this proposal. On Tue, Mar 28, 2023 at 6:49 PM Christopher Wood wrote: > As discussed during yesterday's meeting, we would like to assess consensus > for moving draft-ietf-tls-hybrid-design forward with the following strategy > for allocating codepoints we can use in deployments. >

Re: [TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

Hello, Can we add secp256r1_kyber768 option for those who prefer NIST curves? Kris > On 29 Mar 2023, at 10:48, Christopher Wood wrote: > > As discussed during yesterday's meeting, we would like to assess consensus > for moving draft-ietf-tls-hybrid-design forward with the following strategy

[TLS] Consensus call on codepoint strategy for draft-ietf-tls-hybrid-design

As discussed during yesterday's meeting, we would like to assess consensus for moving draft-ietf-tls-hybrid-design forward with the following strategy for allocating codepoints we can use in deployments. 1. Remove codepoints from draft-ietf-tls-hybrid-design and advance this document through