Fix table in post-quantum blog post (#51)

Signed-off-by: Hayden B <[email protected]>
sigstore · Oct 25, 2023 · 7555032 · 7555032
1 parent a15c5fb
commit 7555032
Showing 1 changed file with 11 additions and 12 deletions.
diff --git a/content/is-sigstore-ready-for-a-post-quantum-world-82c9166985af.md b/content/is-sigstore-ready-for-a-post-quantum-world-82c9166985af.md
@@ -53,20 +53,19 @@ Even after this rollout, we’re not done: there are a few cryptographic compone
 
 The following table summarizes each component, its use of cryptography, whether the component is quantum-resistant, and the post-standardization plan:
 
-```csv
-Component,Cryptography,Quantum Resistant,Plan (after standardization)
-Signing/verifying artifacts (short/long-lived keys),Digital signatures (currently ECDSA),❌,Replace with PQ signature algorithms.
-Rekor append-only log,Merkle tree (currently SHA2 hash),✔️,
-"Fulcio/Rekor signatures on certificates, SETs, SCTs, and STHs",Digital signatures (currently ECDSA),❌,Replace with PQ signature algorithms.
-TUF: distributing Sigstore root certificates,Digital signatures (currently ECDSA),❌,Add PQ signature algorithms to TUF implementation.
-OIDC tokens for identity,Digital signatures (currently RSA),❌,OpenID Foundation should add (and require) PQ algorithms in OIDC.
-TLS: secure point-to-point communication,"Key exchange (ECDHE, DHE)",❌,IETF should update TLS to support PQ key exchange and signature algorithms.
-,"Signatures (RSA, ECDSA, EdDSA)",❌,
-,"Encryption (AES, ChaCha20/Poly1305)",✔️,
-```
+| Component                                                     | Cryptography                         | Quantum Resistant | Plan (after standardization)                                                     |
+|---------------------------------------------------------------|--------------------------------------|-------------------|----------------------------------------------------------------------------------|
+| Signing/verifying artifacts (short/long-lived keys)           | Digital signatures (currently ECDSA) | ❌                 | Replace with PQ signature algorithms.                                            |
+| Rekor append-only log                                         | Merkle tree (currently SHA2 hash)    | ✔️                |                                                                                  |
+| Fulcio/Rekor signatures on certificates, SETs, SCTs, and STHs | Digital signatures (currently ECDSA) | ❌                 | Replace with PQ signature algorithms.                                            |
+| TUF: distributing Sigstore root certificates                  | Digital signatures (currently ECDSA) | ❌                 | Add PQ signature algorithms to TUF implementation.                               |
+| OIDC tokens for identity                                      | Digital signatures (currently RSA)   | ❌                 | OpenID Foundation should add (and require) PQ algorithms in OIDC.                |
+| TLS: secure point-to-point communication                      | Key exchange (ECDHE, DHE)            | ❌                 | NIST/IETF should update TLS to support PQ key exchange and signature algorithms. |
+| TLS                                                           | Signatures (RSA, ECDSA, EdDSA)       | ❌                 | Pending NIST/IETF signature scheme standardization                               |
+| TLS                                                           | Encryption (AES, ChaCha20/Poly1305)  | ✔️                |                                                                                  |
 
 ### Conclusion
 
 While I personally hope to be using Sigstore to secure my binary artifacts and container images well into the potentially quantum future, it’s probably too early to go all-in on these new algorithms. The standardization process might require incompatible changes, or we might learn more about the ideal use cases. These algorithms are slow in comparison with their classical predecessors (especially since there won’t be widely-available hardware acceleration until after standardization), and early implementations may be riddled with bugs and vulnerabilities. Worse — even if Sigstore does everything right here, without updates to OIDC and TLS, users will still be vulnerable.
 
-As the post-quantum ecosystem matures, adoption will become easier and safer. And quantum threats to encryption are hopefully well into the future. Sigstore should (1) plan for an eventual migration to use PQ algorithms, (2) reduce lock-in to any one signature algorithm, and (3) watch the maturity of implementations and relevant protocols. Still, it’s prudent to emulate NIST in this domain — a little planning and preparation can mean that even if the world changes quickly around us, Sigstore should remain secure against even the most motivated and powerful adversaries for years to come.
+As the post-quantum ecosystem matures, adoption will become easier and safer. And quantum threats to encryption are hopefully well into the future. Sigstore should (1) plan for an eventual migration to use PQ algorithms, (2) reduce lock-in to any one signature algorithm, and (3) watch the maturity of implementations and relevant protocols. Still, it’s prudent to emulate NIST in this domain — a little planning and preparation can mean that even if the world changes quickly around us, Sigstore should remain secure against even the most motivated and powerful adversaries for years to come.