Paul W. asked that chairs not state that disrespectful behaviour isn't
an issue in their working group. It discourages people from speaking up
if there is an issue. There is always someone to go to - chairs, AD,
IETF Dir, Ombudsman.
Thanked Roman Danyliw for being outgoing Security AD, see slides for
accomplishments.
Roman: was happy to do it
Hannes: OAUTH working on a couple of certificate (JWT) revocation
mechanisms, similar to SPICE BoF Verifiable Credentials as a
technology. Trust domains oauth, problems with authorization context
from one domain to another. He wants to get experience from other
WGs who have dealt with certs
Wes: SATP is in Last Call on their first document; please take a
look at it
Paul H: ICANN: Announced DNS root KSK HSM change next month
(switching HSM technologies). There will be video. There are videos
of desctruction of HSMs in the past.
Charles Eckel: Should also add 3GPP
Justin Richer: New WIMSE WG in ART, wants a lot of security
expertise (add wimse to the list)
Sean Turner: drop PERC (closed)
Scott Fluhrer: Does not remember that the TLS made that decision
Sean: TLS decided not to do it right this minute. TLS did not do a
consensus call about pure PQ
Orie Steele: No hybrids in COSE/JOSE
Sean: Even the stuff Deirdre was suggesting, it was informational
Standards track doesn't mean mandatory-to-implement
Can get code points as soon as NIST publishes final document (in
IPSec, TLS)
Hannes: Correction: There are proposals for HPKE hybrids in
COSE/JOSE
The question of what mechanism should be used for combining for
hybrids.
Deirdre Connolly: TLS 1.3 can get away with things that other
protocols cannot do because the transcript is hashed into the key
development.
Other protocols cannot use this, so don't think about
one-size-fits-all
CFRG is in no position for making a KEM hybrid combiner for generic
use for months if not years. Things will be bespoke.
There are people who adopt protocols who will not be able to do a
hybrid then a PQ transition. Having a PQ-only solution for key
agreement may be amenable for protocols that optionally want to do
PQ-only. Particularly for CSNA / FIPS certification
Michael P: Is PQUIP the right place for this?
Martin Thomson: Any protocol that cannot transition away from a
algorithm that is broken is broken. He doesn't think we need an ala
carte combiner. Make a combined KEM and treat it as a single object
Ekr: CFRG might come out with multiple ways. If CRFG can give us
strong guarantees, don't need to rely on the properties of TLS.
He's not convinced that people can't make two transitions, no one
wants to do that, but is it really 'can't'?
Mike Ounsworth: No one is advocating for ala carte combiners and the
CRFG draft is not trying to force that
Process suggestion: maybe the ADs can force all the combiner
authors to work together
Deirdre: Is volunteering for the CFRG part
Some users of protocols will probably only be able to do one
transition, due to real-world costs. Not talking about the protocols
themselves. Some users are worried more about compliance than about
needing to do multiple migrations. Other forces in the world
Sean: If we don't do pure option, some other SDO will say TLS is not
being responsive. 3GPP might be this. We could be responsive
Paul H: He's surprised that he's not hearing signatures very much.
Even though the need for KEMs is greater, there needs to be thought
given to signatures.
Ekr: Was just trying to make it easier
Deb: Move from SHA1 to SHA2 in US DoD took 15 years
US DoD can't make two transitions in a reasonable term. Thus wants
to go with pure instead of hybrid
Scott: Is the hybrid size
Deb: PQC signatures will be big. The installed base will still take
a decade
John Bradley: Wants to emphasize how long it took to migrate just to
do SHA1 to SHA2. Embedded systems are very important
classic is quicker than PQ, but Brainpool can also suck your soul
dry
FIPS certification is also a huge issue
Have one PQ-only signature
In WebAuthn, can switch algorithms easily
Ignoring pure-PQ is a mistake
Ekr: Performance for hybrid is similar to PQ
Thus staying in hybrid forever is not that bad
Mike O: Compared them, small data; see LAMPS
Quynh Dang: NIST is fine with both hybrid and pure PQ. Waste of
energy for hybrid?
Mike Prorock: Should not look at KEM same as signatures
Signatures have to live long term. Don't mix sigs with hybrid, just
make two signatures
Paul H: To have the conversation on SAAG or PQUIP? It is in scope
for PQUIP for discussion, but there might be more energy in SAAG.
Sec ADs should decide.
Alan DeKok: Can we talk about MD5. RADIUS still uses MD5
Paul W: Please review draft-ietf-radext-tls-psk-09 and
draft-ietf-radext-radiusv11-04. volunteers for review: Sean, Dan,
and Hannes