Hiya, On 12/02/2020 22:57, Blumenthal, Uri - 0553 - MITLL wrote: > I don't expect you to be knowledgeable about 25+ proposed > algorithms.
I didn't mean it was you forcing that on me, but if you want to give it a shot... :-) > > I expect you to be knowledgeable about the ballpark of the new key > sizes that practically all of the candidates use. The shortest keys > are in the ballpark of a few KB, and I won't go into the size of the > largest ones. Sorry but my understanding is that there are relatively complicated combinations involving both performance and sizes of the various PDUs and stored keys involved. I don't think it'd be a good plan to specify how to handle that on the Internet until the details are better known and understood and the set of possible options is small enough to be sensibly evaluated in detail. IMO, we're not there yet. (And I'll bet a beer that even after we have 'em, each of the "winners" arrives with 5 or so variants;-() > > You may not want to *adopt* them now - but you better be ready to > support Key Exchange for sizes far larger than what's currently > implemented. And keep in mind that while Signatures aren't a > priority yet, that will come eventually. We knew that years ago. The sky hasn't fallen yet. I doubt it'll fall in the next 12-18 months. In contrast I would not be at all surprised to find we'd made a well-meaning mistake in trying to standardise this stuff in the absence of a broad understanding of the detail. Maybe putting it another way might help: my experience is that the worst work I've done involved such ignorance and what I think of as the less bad work I've done did not. Maybe others are better than me at dealing with "known unknowns" though, though IIRC the circumstances that lead to that phrase didn't pan out as well as had been hoped. And one minor addendum: On 12/02/2020 23:41, Watson Ladd wrote: > What's the point of composite schemes after the NIST competition > finishes? SHA-0:-) Cheers, S. > > > > On 2/12/20, 5:50 PM, "Stephen Farrell" <stephen.farr...@cs.tcd.ie> > wrote: > > Hiya, > > On 12/02/2020 21:57, Martin Thomson wrote: >> Only a few of them. Some are OK, but the number is few, I agree. I >> haven't found a good summary of the second round candidates and I >> don't have time to dig into all of the candidates. > > Fine reason to wait and see IMO. > > I'd be much happier adopting this if we did that with the explicit > understanding that we won't produce an RFC until the "winners" in > the NIST process are known and their properties understood. (I don't > mean waiting for a FIPS or formal NIST document but at least for the > final announcement from their process.) > > If the plan were to adopt this and produce an RFC now (e.g. to mix > different curves or something) then I am against that. There's no > need for such combinations so the real rationale here is PQC and we > (at least I, but I suspect also many IETF participants) don't know > enough about the relevant algorithms yet. (And expecting us to be > knowledgeable about 25+ algorithms isn't realistic.) > > Cheers, S. > > >
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls