On Thu, Feb 20, 2025 at 4:39 PM Geoff Huston <gih@xxxxxxxxx> wrote:
On 21 Feb 2025, at 11:17 am, Eric Rescorla via dnsdir <dnsdir@xxxxxxxx> wrote:On Thu, Feb 20, 2025 at 3:55 PM Geoff Huston via Datatracker <noreply@xxxxxxxx> wrote:Reviewer: Geoff Huston
Review result: Ready with Nits
I was assigned as the dnsdir reviewer for draft-ietf-uta-require-tls13-05.
For more information about the DNS Directorate, please see
https://wiki.ietf.org/en/group/dnsdir
NIT: Should the enumeration of the known deficiencies of TLS 1.2 be contained
in the Introduction? The same considerations are described in Section 6, and
their summation in the Introduction seems to be superfluous.
NIT: the assertion in section 3 that "TLS applications will need to migrate to
post-quantum cryptography" is ddependent on the expectation of the lifetime of
the integrity of the encrypted object. The current advice on the immediate need
to use PQC is based on an integrity lifetime of 20 years.I would feel better if
the sentence read "many TLD applications..."Do you have a source for this 20 year figure? It hasn't figured heavily in thediscussions in (say) TLS WG.More generally, it's very hard to estimate the meaningful lifetime of dataand even hard to measure the meaningful lifetime when a protocol cancarry multiple kinds of data (e.g., HTTP can carry data with effectivelifetime in seconds like MFA codes or decades like medical information).Can you provide some examples of protocols which you do not thinkneed to transition to PQ algorithms?Hi ekrI felt sure I had read this in a NIST publication a year or more ago, but I cannot dredgeup the reference (apologies for my crap record keeping!). The gist of the argumentwas that if you want to maintain the integrity of an encrypted item over a period oftime its not only the capabilities of the current computing environment that youneed to concern yourself, but the capabilities of the future environment near theend of the anticipated integrity lifetime. It was in this context that a "secret" lifetimeof 20 years was mentioned.As for an example of a protocol which makes short-term use of data, I wouldnominate DNSSEC.
Thanks for the response.
As your message implies, let's break apart the question of integrity and data origin
authentication from confidentiality.
In my response, I was thinking primarily of confidentiality, where (1) it's hard to bound
relevant lifetime and (2) we have to worry about data which is being transmitted today
because of harvest now decrypt later attacks, hence the interest in deploying PQ
or hybrid for key establishment in the near future.
The question of integrity is more complicated and less urgent. As you say, it's quite
common not to require long lifetimes for integrity. DNSSEC is a reasonable example,
but there are of course others. [0] Note that this isn't so much about what data is being
transmitted as what security properties you want. For instance, DNS queries are sensitive
information and so I don't think one should infer from the DNSSEC example that the
the confidentiality of DoH/DoT has a short lifetime.
For that reason, I think given that this document is about the use of TLS, I don't
think we should try to draw a lot of domain-specific lines about when long
security lifetimes are needed.
-Ekr
[0] In fact, TLS authentication is like this in some respects: a connection established
today is not vulnerable to compromise of the signing key tomorrow. See
https://educatedguesswork.org/posts/pq-rollout for more on the threat model for TLS
and CRQCs.
-- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
