Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-85078

Change TEST-PQ to include only long-term supported algorithms

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • No
    • None
    • rhel-security-crypto
    • ssg_security
    • 10
    • 12
    • 0.5
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Hide

      SanityOnly all that the updated TEST-PQ subpolicy does is:

      • prepends the following to group: X25519-MLKEM768, P256-MLKEM768, P384-MLKEM1024 and MLKEM768-X25519
      • prepends the following to sign: MLDSA44, MLDSA65 and MLDSA87
      • prepends the following to key_exchange

      Just to be clear: no removing them from experimental to get rid of warnings yet, no removal of subpackage yet.

      Show
      SanityOnly all that the updated TEST-PQ subpolicy does is: prepends the following to group: X25519-MLKEM768, P256-MLKEM768, P384-MLKEM1024 and MLKEM768-X25519 prepends the following to sign: MLDSA44, MLDSA65 and MLDSA87 prepends the following to key_exchange Just to be clear: no removing them from experimental to get rid of warnings yet, no removal of subpackage yet.
    • None
    • None
    • Removed Functionality
    • Hide
      Description: Post-quantum cryptographic algorithms are a technology preview in RHEL-10. As the standardization marches on, the scope of said preview is shrinking to the select few algorithms.
      Consequence: TEST-PQ subpolicy (provided by crypto-policies-pq-preview subpackage) now only enables hybrid ML-KEM groups (keywords: X25519-MLKEM768, P256-MLKEM768, P384-MLKEM1024, MLKEM768-X25519) and pure ML-DSA signature algorithms (keywords: MLDSA44 MLDSA65, MLDSA87)
      Show
      Description: Post-quantum cryptographic algorithms are a technology preview in RHEL-10. As the standardization marches on, the scope of said preview is shrinking to the select few algorithms. Consequence: TEST-PQ subpolicy (provided by crypto-policies-pq-preview subpackage) now only enables hybrid ML-KEM groups (keywords: X25519-MLKEM768, P256-MLKEM768, P384-MLKEM1024, MLKEM768-X25519) and pure ML-DSA signature algorithms (keywords: MLDSA44 MLDSA65, MLDSA87)
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      For long-term we plan to support only the ML-KEM hybrids (with x25519, P256, P384) and pure ML-DSA for authentication.

      Change the TEST-PQ policy so that it reflects that

              asosedki@redhat.com Alexander Sosedkin
              hkario@redhat.com Alicja Kario
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: