Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-127829

[rhel-9.8] enable ML-KEM/ML-DSA for gnutls in crypto-policies

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-9.8
    • None
    • crypto-policies
    • None
    • rhel-security-crypto-spades
    • 26
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25November
    • Hide

      AC1) GROUP-X25519-MLKEM768/GROUP-SECP256R1-MLKEM768/GROUP-SECP384R1-MLKEM1024 are in tls-enabled-group and ML-DSA-44/ML-DSA-65/ML-DSA-87 are in secure-sig/secure-sig-for-cert when PQ subpolicy is applied.

      Note: This will be covered by /Sanity/retention test.

      Show
      AC1) GROUP-X25519-MLKEM768/GROUP-SECP256R1-MLKEM768/GROUP-SECP384R1-MLKEM1024 are in tls-enabled-group and ML-DSA-44/ML-DSA-65/ML-DSA-87 are in secure-sig/secure-sig-for-cert when PQ subpolicy is applied. Note: This will be covered by /Sanity/retention test.
    • None
    • None
    • Enhancement
    • Hide
      Feature, enhancement: crypto-policies adds gnutls support for hybrid ML-KEM and pure ML-DSA post-quantum algorithms
      Reason: gnutls gained support for these algorithms in a rebase to 3.8.10
      Result: gnutls will be able to negotiate TLS connections using hybrid ML-KEM and/or pure ML-DSA if the other side supports them and PQ subpolicy is applied
      Show
      Feature, enhancement: crypto-policies adds gnutls support for hybrid ML-KEM and pure ML-DSA post-quantum algorithms Reason: gnutls gained support for these algorithms in a rebase to 3.8.10 Result: gnutls will be able to negotiate TLS connections using hybrid ML-KEM and/or pure ML-DSA if the other side supports them and PQ subpolicy is applied
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Since we're rebasing gnutls in 9.8 for PQ support (https://issues.redhat.com/browse/CRYPTO-18414), we should as well plan a matching crypto-policies update to have the new algorithms enableable. This should be a straightforward backport from 10.

              asosedki@redhat.com Alexander Sosedkin
              asosedki@redhat.com Alexander Sosedkin
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: