[CFRG] Re: Request for adoption: Signature modes guidance / draft-harvey-cfrg-mtl-mode-03

Richard Barnes <rlb@ipv.sx> Mon, 05 August 2024 20:57 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C346EC14F696 for <cfrg@ietfa.amsl.com>; Mon, 5 Aug 2024 13:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_PkeQMuzDAl for <cfrg@ietfa.amsl.com>; Mon, 5 Aug 2024 13:57:28 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03632C14F680 for <cfrg@irtf.org>; Mon, 5 Aug 2024 13:57:27 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id e9e14a558f8ab-39b32f258c8so6899405ab.1 for <cfrg@irtf.org>; Mon, 05 Aug 2024 13:57:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1722891447; x=1723496247; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wcr6AeOMxlYaNiu7GeuBDx2aiKGtxFEpDRkhUhp5kp8=; b=OME1BfMIGwKUaE/fXpJnnapA7NOklfnSri9qcljDBhZAob2LeLB/Ke5r4Kh3qdfngT tEEyX0KlJ6gWlE4llXo7dGvpjhJv4V6WAHbRtJASrwcadEJZAooEZvvMzqYG3Zx0H/9p lvWUmM2VqEie3oN1yMmDqlgKjAnuEAJ7HIKq/0wHj4ahEEkTJ6IhbQ4rojxTGRAUza6b BinWk+nbS5hxZ5Gy3JT7V7moFdpJIAffkchrckJj2Hm4Uh70PTjgou5aqNJQVW72XVxr dnUogmkT5QxHzl723UzZbhgjUu/7pKfDDP5jMas7NmB118OEFW3eGhMCGnaKIpE4MWE5 KACg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722891447; x=1723496247; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wcr6AeOMxlYaNiu7GeuBDx2aiKGtxFEpDRkhUhp5kp8=; b=KIa0LeY8PP7UUwp6fg0iaOb+AQhJaJW5Y27lXpmA6PH2yYT1aXNBZ2e+cVlq/XSWiY LxPcoevyyuUWOW4BV1CVOfLtlirbh1G3ptjQeLM7dOhiWhANlPBF9XlKnVFEoujAIaMT DzncoK2Q8K37czYcVgv3C1CW+7vpWcN763vytdlC3cUfuDHKBm+wNzxYJkhAa81hSdO3 I3xZW3KqBZjguvots9AgH6EtMgyLf1Vn05wW0SiCKUbM9hhmfqM3uPr+b6FJ/WifaAxm QYqYUpK7pSLJ0h2Mm1k6UHJ8kFQv1RSEbRJFie6aAi+4CZQzljTGfeICRfa8/xuz8p5C gKHQ==
X-Forwarded-Encrypted: i=1; AJvYcCVtFYoebIi7HUiYzHP0++uhkGin0WIggHsAPZAIUO1vG60oevX+Ihj6VRIoQEi3XVGU9YAwcCaM3kPdsVXG
X-Gm-Message-State: AOJu0Yx2Fe8PTH/ywBoWpRbpwrxfT5JGSOI56gltzb5R7hWtk4fO7EP5 xZ2zwR/u4ymGmV7Uno52rWPXspF/bBCA/Rmh5D58FsfkOEkm8xa8/+fMrJ9tLdWk2nvOiLxxvGy WwnQLHg24RSH0DofyofC61ujIkdrAq2xPcjRa2w==
X-Google-Smtp-Source: AGHT+IEghUmQNOUtPh0+9JyN2ChK/UBMLsTG+OCKWJIqW/ope3Xyr5wf7J3M2/XQ/pDgbE+SRfvHgG6zmqctS2ZX3QU=
X-Received: by 2002:a05:6e02:1d99:b0:380:db2c:4d53 with SMTP id e9e14a558f8ab-39b1d0556a9mr120097785ab.3.1722891446893; Mon, 05 Aug 2024 13:57:26 -0700 (PDT)
MIME-Version: 1.0
References: <43f8434f68c144f38b4a4a3933841899@verisign.com> <CACsn0c=8=DKKUu6uyevevdNRbZUae4bD=omc24Qtnz8dfeuG=Q@mail.gmail.com>
In-Reply-To: <CACsn0c=8=DKKUu6uyevevdNRbZUae4bD=omc24Qtnz8dfeuG=Q@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 05 Aug 2024 16:57:15 -0400
Message-ID: <CAL02cgShYv4B4wLYTTLc3kGGn_sn1F0eoMqafmrhD8Mvk3DX_w@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000ade543061ef5eccf"
Message-ID-Hash: ZVR7O5QFU7NXWOYPQEVX52C3H5Y5FIPV
X-Message-ID-Hash: ZVR7O5QFU7NXWOYPQEVX52C3H5Y5FIPV
X-MailFrom: rlb@ipv.sx
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Kaliski, Burt" <bkaliski=40verisign.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>, "Sheth, Swapneel" <ssheth@verisign.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: Request for adoption: Signature modes guidance / draft-harvey-cfrg-mtl-mode-03
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Z3qk0Yj_HQb9z72m7ulyk7gRx6w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

I tend to agree with Watson here.  It's not clear to me why this is a new
signing mode vs. just another data structure that gets signed.  Plenty of
other signed hash-based data structures have been defined by Certificate
Transparency, the various flavors of Key Transparency, and others.  As
Watson says, and as these examples illustrate, the details of these data
structures tend to be pretty application-specific.  So it seems like this
work might be better done in a venue with more DNSSEC expertise, even if it
might be reusable elsewhere.

--Richard

On Mon, Aug 5, 2024 at 12:59 PM Watson Ladd <watsonbladd@gmail.com> wrote:

> I don't understand why this is in the CFRG: it seems to be squarely in
> the line of decisions WGs have made outside CFRG such as keytrans or
> CT.
>
> Separately while I think the idea is interesting, there's a lot of
> operational and structural questions to actually apply it very closely
> ingrained with application and protocol level considerations. CFRG
> isn't really suited to determine if this will work. This is not to say
> it shouldn't be pursued, but I just have a lot of questions about how
> it would work fro DNSSEC for instance.
>
> Sincerely,
> Watson Ladd
>
> --
> Astra mortemque praestare gradatim
>
> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org
> To unsubscribe send an email to cfrg-leave@irtf.org
>