Hi, I don't have the full context here, but for post-quantum algorithms as defined by Rich below, I do think specification by IETF would be premature in the light of the on-going NIST process. (But I also recognise that not everyone in the IETF community agrees with this.) Here's what I said back at my saag talk at IETF99: https://datatracker.ietf.org/meeting/99/materials/slides-99-saag-post-quantum-cryptography (see slides 19 and 20). Regarding the draft-ietf-ipsecme-qr-ikev2-09 draft: adding PSKs to combat quantum algorithms can only be a partial solution, in that obtaining forward security against quantum adversaries is likely not possible in this manner (unless the PSKs are evolved over time, and some synchronisation is done to keep both sides of the exchange in step with regard to which key version is in use - but it doesn't seem like the draft is doing that). That said, my original remarks indeed would not really apply to this draft. Cheers, Kenny -----Original Message----- From: "Scott Fluhrer (sfluhrer)" <sfluhrer@xxxxxxxxx> Date: Wednesday, 11 December 2019 at 18:05 To: Paterson Kenneth <kenny.paterson@xxxxxxxxxxx> Subject: FW: Last Call: <draft-ietf-ipsecme-qr-ikev2-09.txt> (Postquantum Preshared Keys for IKEv2) to Proposed Standard Oops, had the wrong email address in my mailer. If you respond (either correcting what I thought you meant, or agreeing with it), please respond to last-call@xxxxxxxx -----Original Message----- From: Scott Fluhrer (sfluhrer) Sent: Wednesday, December 11, 2019 11:36 AM To: Salz, Rich <rsalz@xxxxxxxxxx>; last-call@xxxxxxxx Cc: ipsec@xxxxxxxx; ipsecme-chairs@xxxxxxxx; david.waltermire@xxxxxxxx; draft-ietf-ipsecme-qr-ikev2@xxxxxxxx; kenny.paterson@xxxxxxxxxx Subject: RE: Last Call: <draft-ietf-ipsecme-qr-ikev2-09.txt> (Postquantum Preshared Keys for IKEv2) to Proposed Standard Did Kenny make this statement in the context of postquantum cryptography (that is, public key algorithms that are believed to be secure even if the adversary has a quantum computer)? That would certainly be a reasonable statement (as most postquantum algorithms are fairly new, and are still being cryptographically vetted). On the other hand, this specific draft doesn't involve any postquantum algorithms; it relies only on currently accepted algorithms, and so Kenny's caution would not apply. > -----Original Message----- > From: Salz, Rich <rsalz@xxxxxxxxxx> > Sent: Wednesday, December 11, 2019 11:23 AM > To: last-call@xxxxxxxx > Cc: ipsec@xxxxxxxx; ipsecme-chairs@xxxxxxxx; > david.waltermire@xxxxxxxx; draft-ietf-ipsecme-qr-ikev2@xxxxxxxx > Subject: Re: Last Call: <draft-ietf-ipsecme-qr-ikev2-09.txt> > (Postquantum Preshared Keys for IKEv2) to Proposed Standard > > We are seeing a flurry of these kind of “post quantum protection” things. > This is premature. The co-chair of the CFRG, Kenny Paterson, said so > awhile back. > > At best, this should be EXPERIMENTAL. > > I would like to see an IESG policy that makes all drafts on this topic > be EXPERIMENTAL. > -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
