On 7/30/22 10:10 AM, Peter Saint-Andre wrote:
On 7/30/22 9:30 AM, Cullen Jennings wrote:
On Jul 14, 2022, at 1:13 PM, Peter Saint-Andre <stpeter@xxxxxxxxxx
<mailto:stpeter@xxxxxxxxxx>> wrote:
Given the requirements for crypto agility, I think this there should
be at
least one MTI algorithm that does not rely on EC. Pinning all your
hopes on a
single algorithm surely is not the best security advice the IETF can
provide.
If a EC did have a problem, clearly we would want something already
build and
deployed that we could switch too.
The authors will discuss this and reply again.
I just wanted to see if there were any update on this one. I think it
is the most serious concern raised in my review.
I think the authors might have missed this one in our work on -10.
Hi again,
The authors have conferred on this and at this time we don't think that
we can recommend anything other than EC ciphers, for several reasons:
1. DHE negotiation is broken.
2. Static RSA is out of the question.
3. Post-quantum (PQ) methods aren't ready yet.
Our forecast is that a few years from now the PQ methods will be ready
for recommending in 7525ter, but for now EC is the best we can do.
Peter
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
