Enable POC oqs-envoy about oqs-demos HOT 16 CLOSED

Hi Michael,

Sorry it's taken me a while to get back to you. I've been investigating an easier way to demonstrate cryptographic agility using HA-Proxy in front of my old application and got it working with OQS-Chrome as the client. Using a proxy has been far easier than trying to implement PQC at the code layer. None of those nasty dependancies. I may loop back to this issue in some time but for now I'm exploring rapid PQC by enabling a proxy layer for my apps.

from oqs-demos.

Thanks for the feedback. You're not the only one using that approach & that's been the reason for doing/maintaining oqs-haproxy. Labelled this issue thus "future work" (may or may not be done).

from oqs-demos.

I’m wondering if you’ve investigated Envoy as another proxy? It’s been very popular.
https://www.envoyproxy.io/

from oqs-demos.

Not yet but thanks for the suggestion. Before looking into it, can I ask why you didn't use it?

Edit after reading up a bit on envoy: envoy seems to be rather intimately combined with BoringSSL without strong interest in adding OpenSSL support; OpenSSL plugin seems to be in the works since a long time but not really pursued, so one probably couldn't build on that.

Why is this relevant? We put more focus on (and features in) the OQS-OpenSSL code base compared to OQS-BoringSSL.

from oqs-demos.

That makes sense to me. We're just exploring the use of Envoy over HA-proxy.

from oqs-demos.

OK - thanks for letting us know. Please touch base again if you've decided one way or the other so we can prioritize our efforts suitably.

from oqs-demos.

I'm curious what features are missing from your OQS-BoringSSL implementation? Is there a significant LoE to upgrade OQS-BoringSSL?

from oqs-demos.

I'm curious what features are missing from your OQS-BoringSSL implementation? Is there a significant LoE to upgrade OQS-BoringSSL?

OQS-BoringSSL does not support hybrid signatures (and there are no plans to implement this currently). The other limitations are those of stock BoringSSL (no CMS, X509 and ASN1 APIs considered deprecated, etc.).

from oqs-demos.

In addition, OQS-BoringSSL isn't regularly kept up-to-date with its upstream (compared to OQS-OpenSSL).

from oqs-demos.

In addition, OQS-BoringSSL isn't regularly kept up-to-date with its upstream (compared to OQS-OpenSSL).

Yes, in OQS we primarily use BoringSSL to demonstrate the use of PQ cryptography in Chromium, and we pin the BoringSSL commit to the desired Chromium tag for which we've verified that the demo works. We don't do this frequently.

from oqs-demos.

We are going down the path of Envoy, and eventually extend to Istio. for a PQC service mesh.

from oqs-demos.

Thanks for letting us know. Do you plan to do this open source? If so, please let us know if/where we can help/cooperate.

from oqs-demos.

Yeah Ideally my team and I will make an Open Source OQS-Envoy - perhaps we can list it here as another demo?

I'm still very new to this so any assistance would be greatly appreciated!

from oqs-demos.

My main concerns are around the limited functionality of Boring-SSL as you've pointed out earlier.

from oqs-demos.

I'm still very new to this so any assistance would be greatly appreciated!

We'd be glad to help where we can. Just renamed this issue so we can discuss (upcoming) issues below.

My main concerns are around the limited functionality of Boring-SSL as you've pointed out earlier.

Would it make sense to spell out the functional and non-functional goals you may already know about so we can also "think along"?

from oqs-demos.

No recent activity, closing issue. Feel free to reopen if there's renewed interest/activity.

from oqs-demos.