Re: [Cfrg] RFC Draft for Secure Crypto Config (Submission support and feedback request)

Ellie Daw <elliemdaw@gmail.com> Wed, 21 October 2020 15:26 UTC

Return-Path: <elliemdaw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 391033A0E22 for <cfrg@ietfa.amsl.com>; Wed, 21 Oct 2020 08:26:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slmC6HyPbQcb for <cfrg@ietfa.amsl.com>; Wed, 21 Oct 2020 08:26:32 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23D293A0A26 for <cfrg@irtf.org>; Wed, 21 Oct 2020 08:26:32 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id 188so2786443qkk.12 for <cfrg@irtf.org>; Wed, 21 Oct 2020 08:26:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:message-id:in-reply-to:references:subject:mime-version; bh=p30kHev2YAgkqasYJyl0yTayj1rh7u1jk8CNUuQqrIU=; b=q95t72F4acSyLoO4g6TOkZjp9Ikfxg1C9SNjG8y2khDE3E66Z9kIHKD0DEmezNluQN WFA+UM1dFUx/UpJW6Kasa94KUQHjft6En+FGsCsoY7vNXXLmuV5qkXw6c9XMKsM4SucT P9NT3Z8Wmw5PX+Cx2/cNkNRB3SBEi+nZUVe5eZo3DT6ULzf5VtHAcaPOHkqx/bj72fT4 xVDuX+WLvdIpTsRPd0+yx4RDNgEpZup0UZNofE2x+1yEv/2pwa3RFvxs3mFjRw1p6Swu 6g/kSpZzjUWCkr91iiuQ9dGCP0jDQr76KLbJ4VTvcMyOoMFV14FNY4iJyoL00oZBq22V x+1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:message-id:in-reply-to:references :subject:mime-version; bh=p30kHev2YAgkqasYJyl0yTayj1rh7u1jk8CNUuQqrIU=; b=eAJGp2TkRE42lef/hT5SUQKuFp3wVrVwrqoB85Vr2F6Y2ql+DDRPxnTZBly8zcmYje cdCkORLvrI1Zfid7i00rRISDfNjwbW9cvOZx+f5ccQXlKZqZVYr3r4q+fbp+45pM0bTk J48eSMWXC3qhsfHKeuTUDbFHMz5uuT/I+0uNYmGnLuP6Bnla0VyQQwkwwOSUEtolwljF kIcHyt92qBx5b+van/DtzSvd1xb7shUVfUMafP8yAXvpEpPumhAaoE9qiIh3JE8r59ZD 1xRLy1RqjAIPFfRP/UW8K15mReWWDD11DBmhe3ZWDv55V00+fIZGHDeRIoEKRWHS3G1v FvMg==
X-Gm-Message-State: AOAM530tflNsqqKzd596Yf/VYtE7Syjd8IjcbPQ8Tzzl10XoeN/78hy9 Lrx9uEVyO2ArWAYvSKrOrAJtfak8fes=
X-Google-Smtp-Source: ABdhPJzzBg0sLBgMseTPG5l0Nyp25TG5YV0XFf7i9h/VjW+kcz5p+5BYj13wOxlBH5o0wGeP0ZEVPA==
X-Received: by 2002:a37:9e8e:: with SMTP id h136mr3761162qke.205.1603293990643; Wed, 21 Oct 2020 08:26:30 -0700 (PDT)
Received: from [10.0.0.11] (pool-100-15-227-10.washdc.fios.verizon.net. [100.15.227.10]) by smtp.gmail.com with ESMTPSA id j9sm1403011qtk.89.2020.10.21.08.26.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Oct 2020 08:26:30 -0700 (PDT)
Date: Wed, 21 Oct 2020 11:26:23 -0400
From: Ellie Daw <elliemdaw@gmail.com>
To: "=?utf-8?Q?cfrg=40irtf.org?=" <cfrg@irtf.org>, Kai Mindermann <kai.mindermann@ic-consult.com>
Message-ID: <b55855cc-de9d-4846-a5e6-0810c2966f58@Spark>
In-Reply-To: <AM0P194MB049890800412E9375D48FF0DB6010@AM0P194MB0498.EURP194.PROD.OUTLOOK.COM>
References: <AM0P194MB02899CD89A20C471339EC056B62E0@AM0P194MB0289.EURP194.PROD.OUTLOOK.COM> <AM0P194MB049890800412E9375D48FF0DB6010@AM0P194MB0498.EURP194.PROD.OUTLOOK.COM>
X-Readdle-Message-ID: b55855cc-de9d-4846-a5e6-0810c2966f58@Spark
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="5f905325_836c40e_10e24"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-uIGn2abwSWO56mUiu5LE-6M6aQ>
Subject: Re: [Cfrg] RFC Draft for Secure Crypto Config (Submission support and feedback request)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2020 15:26:34 -0000

I think this is a really interesting idea! We’ve had a project, Crypto Done Right, in the works for a while now. The goal is along the same lines as this proposal: helping users to use cryptography correctly. However, our project provides samples and guidance, whereas this proposal could alleviate the need for users to look for guidance on how to make parameter choices, etc. altogether.

I’m curious to hear others’ thoughts; to me, having something like what’s in this proposal (standardized secure configurations and metadata which could be parsed along with ciphertexts) seems like it could effectively address some of the challenges for users.

Ellie
On Oct 18, 2020, 5:44 AM -0400, Kai Mindermann <kai.mindermann@ic-consult.com>om>, wrote:
> Hi,
>
> I have now submitted the proposal as individual draft here: https://datatracker.ietf.org/doc/draft-kaimindermann-securecryptoconfig/
>
> A lot of things are still open, but I think it’s still good to show the current state and concepts to the experts already.
>
> Would be interesting to see what you think about the general concept of having something like this standardized in the future.
>
> Mit freundlichen Grüßen / Best regards
> Kai Mindermann
>
> --
> Kai Mindermann
> Senior Consultant
> M +49 1512 1054730
>
> kai.mindermann@ic-consult.com
> www.ic-consult.com
>
> iC Consult Gesellschaft für Systemintegration und Kommunikation mbH
> Standort: Zettachring 8a | 70567 Stuttgart | Germany
> Verwaltung: Huyssenallee 99-103 | 45128 Essen | Germany
> Geschäftsführer: Dr. Andreas Neumann
> HRB 116170 Amtsgericht München
>
> Von: Cfrg <cfrg-bounces@irtf.org> Im Auftrag von Kai Mindermann
> Gesendet: Dienstag, 1. September 2020 12:36
> An: cfrg@irtf.org
> Betreff: [Cfrg] RFC Draft for Secure Crypto Config (Submission support and feedback request)
>
> Hi,
>
> me and a master’s student (Lisa Teis) are working on a proposed standard to solve some problems around cryptography usage.
>
>
> I’ll cite the Secure Crypto Config draft abstract for you:
>
> Choosing secure cryptography algorithms and their corresponding parameters is difficult. Also, current cryptography APIs cannot change their default configuration which renders them inherently insecure. The Secure Crypto Config provides a method that allows cryptography libraries to change the default cryptography algorithms over time and at the same time stay compatible with previous cryptography operations. This is achieved by combining three things standardized by the Secure Crypto Config: (1) A process that is repeated every two years, where a new set of default configurations for standardized cryptography primitives is published in a specific format. (2) A Secure Crypto Config Interface that describes a common API to use cryptography primitives in software (3) using COSE to derive the parameters from output of cryptography primitives, otherwise future changes of the default configuration would change existing applications behavior.
>
> Our current draft can be found here: https://securecryptoconfig.github.io/secureCryptoConfig/draft-kaimindermann-securecryptoconfig.html and accordingly the repository (including the issue tracker to track feedback) can be found also on GitHub: https://github.com/secureCryptoConfig/secureCryptoConfig
>
> We’d like to submit a version “-01” to the IETF datatracker to work with you on this standard, yet I’m unsure which process to follow (is it a independent submission or not, etc). I tried to use the automatic submission with Travis based on the template project (https://github.com/martinthomson/i-d-template) yet it did not work.
>
> Please give us your feedback and how you would suggest to move forward to get this into the right standardization process. It’s still early work and a lot of things are not decided or open, but that’s why we want to involve more people to contribute.
>
> Mit freundlichen Grüßen / Best regards
> Kai Mindermann
>
> --
> Kai Mindermann
> Senior Consultant
> M +49 1512 1054730
>
> kai.mindermann@ic-consult.com
> www.ic-consult.com
>
> iC Consult Gesellschaft für Systemintegration und Kommunikation mbH
> Standort: Zettachring 8a | 70567 Stuttgart | Germany
> Verwaltung: Huyssenallee 99-103 | 45128 Essen | Germany
> Geschäftsführer: Dr. Andreas Neumann
> HRB 116170 Amtsgericht München
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg