Misleading crypto‑agility risk scores

[TSG46]

Summary:
The current X + Y > Z decision rule used in CARAF and the CARAF Calculator can produce misleading crypto‑agility risk scores, especially when users enter low or zero values for X (asset lifespan) or Y (migration time). This causes assets to be incorrectly categorized as “PHASE-OUT” or “ACCEPT,” even when they handle long-lived data or require significant migration effort. This contradicts NIST PQC migration guidance, which emphasizes data retention, minimum migration lead times, and harvest-now, decrypt-later risks.

Problem Details:

1. X (Asset Lifespan) underestimates long-lived data
   Many assets store or process data needing confidentiality for 10–25+ years. Current logic treats short asset lifecycle as equal to short data-retention, producing artificially low exposure scores.

2. Y (Migration Time) often set to zero
Users frequently enter Y=0, especially in early discovery phases. This ignores real-world migration complexity: library updates, PKI transition, vendor dependencies, firmware upgrades, and performance testing.

3. Z (Threat Horizon) lacks standardized defaults
Without guidance, users enter optimistic threat horizons, which skews risk evaluation.

4. Overall Impact
The rule incorrectly classifies high-risk assets as LOW RISK, ACCEPT, or PHASE-OUT, causing misleading prioritization for PQC migration efforts.

Proposed Changes

1. Add “Data Retention Lifetime” as mandatory input
   Automatically compute X = max(asset lifespan, data retention lifetime), aligning with NIST PQC guidance.

2. Enforce minimum migration time (Y)
   Require Y ≥ configurable lower bounds:

• Software systems: ≥ 0.5 years
• PKI, hardware, HSM, embedded: ≥ 1–3 years

3. Provide standardized Z presets
   Suggested defaults:

• Conservative: Z = 5
• Moderate: Z = 7
• Standard: Z = 10

4. Update decision logic to Exposure Index
   Exposure = (DataRetention + MigrationLeadTime) – ThreatHorizon

Classification:

• Exposure ≥ 0 → EXPOSED
• -3 < Exposure < 0 → AT RISK
• Exposure ≤ -3 → PHASE-OUT

5. Workbook Safeguards

• Warn when Y=0 is entered
• Flag when DataRetention > Z
• Provide NIST-aligned guidance tooltips

**_

Benefits

_**

• Aligns CARAF with NIST PQC recommendations
• Produces accurate exposure assessments
• Avoids underestimating long-term confidentiality risks
• Addresses real migration effort
• Improves cross-industry PQC readiness

[rtrimana]

Hi @TSG46 , thank you so much for starting this idea. This is a very great contribution/idea for CARAF's second phase. Would you like to be a contributor by making edits via pull requests? :)

Please kindly read this page and let me know what you think. We would love to have you make some changes (including the Excel sheet itself) and we can work together to refine it. In that case, we'll have your name listed here: please feel free to add your GitHub handle yourself for this contribution later.

I look forward to hearing more from you (and hopefully working together with you).

[TSG46]

Good day @rtrimana ,

A PR has been raised please refer TSG46#1.

Thanks.