Adds PQC release note to 4.22#111946
Conversation
openshift-ci
Bot
added
the
size/XS
| @@ -25,4 +25,11 @@ Commencing with the {product-title} 4.14 release, Red{nbsp}Hat is simplifying th | |||
| // Added in 4.14. Language came directly from Kirsten Newcomer. | |||
| {product-title} is designed for FIPS. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the `x86_64`, `ppc64le`, and `s390x` architectures. | |||
There was a problem hiding this comment.
Maybe make this into a section, like:
| {product-title} is designed for FIPS. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the `x86_64`, `ppc64le`, and `s390x` architectures. | |
| == About FIPS compliance | |
| {product-title} is designed for FIPS. When running {op-system-base-full} or {op-system-first} booted in FIPS mode, {product-title} core components use the {op-system-base} cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the `x86_64`, `ppc64le`, and `s390x` architectures. |
|
|
||
| // Added in 4.22. See https://redhat.atlassian.net/browse/NE-2329 and https://redhat.atlassian.net/browse/OCPSTRAT-2361 | ||
| {product-title} supports post-quantum cryptography (PQC) readiness for secure cluster communication. When running on {op-system-base-full} or {op-system-first}, core {product-title} components use the cryptographic capabilities provided by the platform operating system and TLS 1.3 security profiles, including hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) key exchange where enabled by the configured TLS security profile and supported by the component. |
There was a problem hiding this comment.
If we make the above into a section, maybe we could do the same here?
| {product-title} supports post-quantum cryptography (PQC) readiness for secure cluster communication. When running on {op-system-base-full} or {op-system-first}, core {product-title} components use the cryptographic capabilities provided by the platform operating system and TLS 1.3 security profiles, including hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) key exchange where enabled by the configured TLS security profile and supported by the component. | |
| == About PQC compliance | |
| {product-title} supports post-quantum cryptography (PQC) readiness for secure cluster communication. When running on {op-system-base-full} or {op-system-first}, core {product-title} components use the cryptographic capabilities provided by the platform operating system and TLS 1.3 security profiles, including hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) key exchange where enabled by the configured TLS security profile and supported by the component. |
|
|
||
| // Added in 4.22. See https://redhat.atlassian.net/browse/NE-2329 and https://redhat.atlassian.net/browse/OCPSTRAT-2361 | ||
| {product-title} supports post-quantum cryptography (PQC) readiness for secure cluster communication. When running on {op-system-base-full} or {op-system-first}, core {product-title} components use the cryptographic capabilities provided by the platform operating system and TLS 1.3 security profiles, including hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) key exchange where enabled by the configured TLS security profile and supported by the component. |
There was a problem hiding this comment.
Do we want to be specific about which core components this includes? The FIPs note also says "core components"
There was a problem hiding this comment.
The expectation for 4.22 is that all core payload and platform-aligned layered products have tested that their components offer TLS 1.3 and hybrid ML-KEM.
There is some ongoing project management happening in https://redhat.atlassian.net/browse/OCPSTRAT-2361 to make sure platform-aligned layered products have done the required testing for their 4.22-aligned versions.
But your statement only specifically mentions core components, which we're in better shape on.
I think this sounds good. We could extend this to say "and platform-aligned layered products" but I'm not confident about that yet.
There was a problem hiding this comment.
dont include it unless we're 100%.
|
🤖 Tue May 19 19:43:29 - Prow CI generated the docs preview: |
openshift-ci
Bot
added
size/S
openshift-ci
Bot
added
size/XS
|
@stevsmit: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
Version(s):
Issue:
Link to docs preview:
QE review:
Additional information: