On 11.10.25 11:52, D. J. Bernstein wrote:
In my understanding, TR-02102-1 is only for SRTP and MLS. The one applicable for TLS is only TR-02102-2.Thanks---I was looking at TR-02102-1 rather than TR-02102-2.
Content-wise, I don't see how Table 9 in TR-02102-2 supports the notion that SecP256r1MLKEM768 or SecP384r1MLKEM1024 is required for compliance with something.
In my understanding, it does not: (see response to your point (2) below)
The claim up thread that there are "regulatory requirements" sounds impressive,
To me, it isn't very impressive. I believe TLS WG should be carefully analyzing and defining what is secure use of PQ in TLS rather than being forced to support potentially weak solutions by the "regulatory requirements". Just for clarity: it is a general statement of my view; in particular, I haven't analyzed PQ yet and thus currently have no opinion on whether pure PQ is weaker than hybrid, or whether a specific hybrid is weaker than some other hybrid.
Besides, a question remains: which regulations? which country/region? which one to prefer if the regulations of two countries/regions contradict?
but I'd like to see a complete argument that
(1) pinpoints the "regulatory requirements" we're talking about,
Well, if we are /strictly/ talking about "regulatory requirements" then the English versions are not legally binding in the first place (as it is default in Germany). Someone has to first confirm that the translation is actually correct. See the note in [0]:
Note: The translations of these Technical Guidelines should beconsidered as courtesy translations. In principle, theGerman versions <https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr02102/tr02102_node.html>take precedence.
(2) lays out how SecP256r1MLKEM768 and SecP384r1MLKEM1024 are
necessary for meeting those requirements, and
I think Sec. 3.1.3 in TR-02102-2 clarifies the situation. In my understanding, BSI neither recommends nor prohibits anything for PQ in TLS. It is just waiting for standards to be developed and matured. The only thing I could infer was that they /intend/ to recommend hybrid rather than pure PQ. Quoting the relevant text:
Standards for the use of quantum-safe mechanisms in TLS are currently being developed and tested. The BSI intends to recommend quantum-safe mechanisms in this Technical Guideline (in hybrid use with recommended classical mechanisms) as soon as suitable standards have been adopted.
Besides, Sec. 3.2 in TR-02102-2 clearly states that BSI is continuing to /recommend/ TLS 1.2, and since TLS 1.2 will not have PQ support, it implies to me that BSI is not even recommending moving towards PQ for TLS.
-Usama[0] https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr02102/tr02102_node.html
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
