Skip to main content

Minutes IETF121: pquip
minutes-121-pquip-00

Meeting Minutes Post-Quantum Use In Protocols (pquip) WG
Date and time 2024-11-07 15:30
Title Minutes IETF121: pquip
State Active
Other versions plain text
Last updated 2024-11-19

minutes-121-pquip-00
PQUIP WG
IETF 121, Dublin
Thursday November 7, 2024
Session III, 15:30 - 17:00

Minutes do not show text from the slides
See all meeting materials at
https://datatracker.ietf.org/meeting/121/session/pquip

Welcome and Note Well

Current document statuses

Terminology for Post-Quantum Traditional Hybrid Schemes
        Paul Wouters (AD): Lots of disagreements at the end of the WG discussion
                Wanted to be sure that those were either dealt with or are in
                the rough Not stuck, just is additional work for him to go
                through
        Paul Hoffman: We sometimes get long comments, let's read them instead
        of ignoring them
                These comments can sometimes help the documents
        MikeP: Also willing to help go through those final comments

Hybrid signature spectrums
        https://datatracker.ietf.org/doc/draft-ietf-pquip-hybrid-signature-spectrums/
        In WG Last Call until today; will stretch it by a few days because:
                Very few comments so far, and more would be appreciated
        Authors will update based on Last Call comments
Post-Quantum Cryptography for Engineers
        Tim Hollebeek presented
        Deirdre Connolly: Agree on targeted recommendations
                Doesn't really cover "we use these because of these security
                proofs" Say more about why we think these are proven to be good
                replacement Operators are doing cryptography whether or not
                they think they are There is formal methods and math here
        Mike Ounsworth: Half disagrees with Deirdre about how much should go in
                Should we be using normative MUST and SHOULD language?
                Hopefully not.
        Kathleen Moriarty: Can help get her grad students to help review
        Joe Salowey: Be more technical
                Some engineers need to understand that there are proofs
        PaulW: There are some limits
                Should say things like "this must be constant-time because of
                blah" without explaining blah
        Mike: For laypeople, "break" means a much more immediate threat

Previously discussed
        More discussion on the list for these
        Post-quantum cryptography migration use cases
        Hash-based Signatures: State and Backup Management

PQC in certificates at the Hackathon

FIPS issues with deploying ML-KEM and ML-DSA, Mike Ounsworth
        Quynh Dang: NIST has been talking about seeds and expanded seeds
        internally, no answer right now
                Ordering: also talking internally, also no answer right now
                Hope to have answers soon
                APIs: there some options for many reasons
                        Some users prefer one API over another
                SP800-227: there will be a draft before the seminar in February
        Phill Hallam-Baker: On the OASIS thing, their group met yesterday
                Are discussing the seed issue
                On the signatures, there is a context string, we would like to
                use it, but can't because of PKCS#11 Should have a joint
                virtual meeting with OASIS
        Deirdre: If NIST allows seed expansion, we get an accidentally
        FIPS-compliant X-Wing with no changes
                Not having a 32-byte seed would not be the end of the world
                It's OK to have more key material
                It's unfortunate that people are putting P256 first in the
                hybrid because it is likely that it will not be FIPS-compliant
                down the road Hybrids should be temporary, consider what going
                to a fully-PQ system would look like instead
        Sean Turner: For OASIS, don't have a virtual meeting, just find out who
        the right people are there
                Just call them and get it done
                Don't call it "RealHash"
        John Gray (later in the meeting): At ICMC, asked the author of PKCS11
                They will support parameters and context

PQC algorithm commonality across the IETF
        PaulW: Lots of overlap between CFRG and PQUIP
                Charter has a timer for a two-year review
                Algorithms are talked about in SAAG
                Charter discussion: what has been done, what needs to be done?
                Was WG of last resort, mostly for SSH, but then that WG got
                started Maybe that clause is not needed any more What is still
                left that is not overlapping with CFRG? Start the rechartering
                discussion in January 2025 Not so worried about the wording,
                but come up with the content Is there new work to be done that
                is relevant to this WG?
        Joe Harvey: Some WGs have drafts that cross-reference each other, but
        are not consistent
                Maybe PQUIP can help with consistency