From 6a6160d007dae6c77bb8602d6ee3dff6965f50c6 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 19 Dec 2024 23:56:52 +0100 Subject: [PATCH 1/2] add TSC 2024-12-10 minutes Signed-off-by: Basil Hess --- meetings/2024-12-10/minutes.md | 62 ++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 meetings/2024-12-10/minutes.md diff --git a/meetings/2024-12-10/minutes.md b/meetings/2024-12-10/minutes.md new file mode 100644 index 0000000..fe9f155 --- /dev/null +++ b/meetings/2024-12-10/minutes.md @@ -0,0 +1,62 @@ +# OQS Technical Steering – 2024-12-10 – minutes + +## Attendees + +* Douglas Stebila (U Waterloo) +* Spencer Wilson (U Waterloo) +* Michael Baentsch (Intependent) +* Brian Jarvis (Amazon) +* Christian Paquin (Microsoft) +* Norman Ashley (Cisco) +* Alex Bozarth (IBM) +* Basil Hess (IBM) + +## Agenda + +1. Chair's introduction + +- Introduction by Douglas. + +2. Approve agenda + +- No changes requested. + +3. Appoint minute-taker + +- Basil Hess + +4. Review action items from previous meeting + +- [Security response team](https://github.com/open-quantum-safe/tsc/issues/60) + +- Setup GitHub/email alias: Pending. +- Dry run pending security response policy. Spencer and Douglas to discuss. +- Spencer: Awaiting wet run of HQC incident; will draft process document (PR forthcoming). +- Douglas: Solicit feedback, expecially from people with prior experience. +- Michael: Suggests documenting guidelines on how to interact with upstream projects. Responsiveness from upstreams is a concern; to identify key contacts at upstreams. + +5. Reports (PQCA TAC, PQ Code Package) - Spencer + +- TAC discussion around supporting context strings in ML-KEM. Google's Tink library doesn't expose context string features, alghough Tink aims at providing higher-level API compared to liboqs. +- PQCP mlkem-native version 1.0-alpha has been released, with Pravek and Basil working on its integration with OQS. + + +6. [SLH-DSA and which upstream code bases to rely on](https://github.com/open-quantum-safe/liboqs/issues/1894) + +- Discussion on whether to rely on OpenSSL’s upcoming SLH-DSA implementation or explore other upstream sources. +- Considerations include performance, diversity, formal verification, and composite use cases. +- Douglas will reach out to SPHINCS+ authors for input. +- Michael suggests exploring the option of dropping support for SLH-DSA. + +7. [Binary distributions](https://github.com/orgs/open-quantum-safe/discussions/1625) + +- Ubuntu has expressed interest in including liboqs/oqs-provider but only with no plain PQ algorithms. This raises implications for configuration. +- Action: Create a wiki/markdown page documenting binary distributions shipped. +- Suggestion: Ensure GitHub contacts for communication are accessible. + +8. Other business + +- Agreement to set the ops-openssl 1.1.1 fork and liboqs-dotnet repositories to read-only status (archive). +- Spencer to update the website with links to archived repositories, providing interested parties the ability to revive them if needed. +- libssh to also be archived following consensus. +- Question raised by Alex if the arm64 runner used in OQS is a self-hosted runner. Clarification provided that the project currently uses the GitHub-hosted beta runner, which may resemble a self-hosted instance. Alex will open a PR in the TSC repository to address this. From e2d8315fe64e206563307222c1d02c6cbe2cf419 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Fri, 20 Dec 2024 17:00:35 +0100 Subject: [PATCH 2/2] Add more context to SLH-DSA discussion. Signed-off-by: Basil Hess --- meetings/2024-12-10/minutes.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/meetings/2024-12-10/minutes.md b/meetings/2024-12-10/minutes.md index fe9f155..7477e6b 100644 --- a/meetings/2024-12-10/minutes.md +++ b/meetings/2024-12-10/minutes.md @@ -43,10 +43,14 @@ 6. [SLH-DSA and which upstream code bases to rely on](https://github.com/open-quantum-safe/liboqs/issues/1894) -- Discussion on whether to rely on OpenSSL’s upcoming SLH-DSA implementation or explore other upstream sources. -- Considerations include performance, diversity, formal verification, and composite use cases. -- Douglas will reach out to SPHINCS+ authors for input. -- Michael suggests exploring the option of dropping support for SLH-DSA. +- Options presented are: Develop an independent implementation. Await availability from an upstream source. Utilize OpenSSL’s upcoming implementation. Exclude SLH-DSA entirely. +- Michael shared that OpenSSL is developing its own SLH-DSA implementation from scratch, alongside including other PQ standard implementations. The SLH-DSA implementation won't be formally verified. +- Christian raises question on the role of OQS once crypto libraries include own implementations of PQ standards. +- Douglas outlines potential value propositions of liboqs: availability of a wide set of algorithms and formally verified implementations. The team brings up other propositions: performance-optimized (assembly) versions, and diversity of implementations. Brian notes that PQCP's ML-KEM implementation is formally verified. +- Spencer notes that if including OpenSSL’s SLH-DSA implementation, the algorithms would not be able available to users disabling OpenSSL in the liboqs build. Questions on the sense of incorporating OpenSSL's implementation in oqs-provider were raised, circular dependencies might be another concerns. It might still be valuable to include for enabling constructions like composites. +- Norm and Duc expressed interest in contributing to SLH-DSA implementation, potentially leveraging other upstream resources. +- Michael emphasized considering the option to drop SLH-DSA support entirely, also for (CI) resources concerns. +- Douglas will reach out to upstream providers such as SPHINCS+ and pqclean and drafting an approach for approaching upstreams, likely in the security policy discussion thread. 7. [Binary distributions](https://github.com/orgs/open-quantum-safe/discussions/1625)