Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-based-signatures-03.txt
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 28 June 2016 14:56 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CBA41288B8 for <cfrg@ietfa.amsl.com>; Tue, 28 Jun 2016 07:56:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.727
X-Spam-Level:
X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P_-O2hu_NZci for <cfrg@ietfa.amsl.com>; Tue, 28 Jun 2016 07:56:14 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E9F212D0E5 for <cfrg@irtf.org>; Tue, 28 Jun 2016 07:56:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 68100BDF9; Tue, 28 Jun 2016 15:56:12 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yJepaid634Ta; Tue, 28 Jun 2016 15:56:10 +0100 (IST)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 5E72EBDCA; Tue, 28 Jun 2016 15:56:10 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1467125770; bh=PN2tnJ3FMsCSVypCH/djqYXLGqYKLUkRJHK0VVIExzE=; h=Subject:To:References:From:Date:In-Reply-To:From; b=Y7fpBZoIhvTM8Xn2YsVwOc5ed8E+sExl3wNjZkDFaTrjcIblfk80j40x5U4OW4Od2 0qD0xL0hREeQgZIUjjjio4eR5gw95asVaxP9x99mbEx4y9NFoSaZMzVjUO8vWBXZay 2Q8FGbuN60WLaSGtp9pghlxn6tq0w+3poD6llK7c=
To: Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <56E9B7E2.7050105@isode.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5772900A.8020507@cs.tcd.ie>
Date: Tue, 28 Jun 2016 15:56:10 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <56E9B7E2.7050105@isode.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms090901060207060504080504"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/siOpqnlFsSUEqxom5jzeBbHV-y0>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-based-signatures-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2016 14:56:17 -0000
Hiya, I had a quick read of the draft. I've no comments on the algorithm itself, but do have a strong reservation about the text. I would be much happier if it included some CFRG-consensus text as to the current desirability of implementing and deploying and depending upon any scheme that aims/claims to be post-quantum secure (or any similar phraseology). While a quantum computer is definitely a threat about which we ought worry, we must also worry about people implementing the shiny new thing badly. And about a shiny new thing that turns out less good than expected. Or if implementing the shiny new thing acts as a distraction to the deployment of currently good but non quantum-resistant security or privacy mechanisms. There may also, over time, be many shiny new things, that are not all equal, but so that implementers lack guidance as to which to choose. I consider all of the above are real threats and that CFRG ought provide guidance as to how the trade-offs between those are currently seen. So I would really like to see a paragraph or two that is aimed at implementers and that gives current guidance on whether or not this is ready for prime-time. I would hope the same paragraph could be re-used in any similar drafts. My starting point would be to insert something like the text below at a prominent place in the introduction: "All quantum-resistant algorithms documented by CFRG are today considered ready for experimentation and further engineering development (e.g. to establish the impact of performance and sizes on IETF protocols) but CFRG has consensus that we are not yet sufficiently confident to the point where we would want the security or privacy of a significant part of the Internet to be dependent on any set of those algorithms. In future, as things mature, CFRG intends to publish updated guidance on this topic." If CFRG's consensus is for something much more positive than the above, so long as that guidance is clearly justified and clearly safe for implementers then I'll be fine with that. IOW my conservative text above might be too conservative, but ISTM that this is a case where do-no-harm is a good principle to follow at first. Note: This is independent of this (or any) specific algorithm so I hope the authors/proponents don't take this as a comment on their algorithm. (And yes, this is sort of related text in section 8.3, but that is IMO insufficient.) S. PS: The above is my comment as an individual (barely qualified:-) participant in CFRG. As one of the current security ADs, I would however also have to consider if the lack of some such guidance would be something for the IESG to consider during rfc5742 conflict review. I'm not sure if the concern above would or would not be a valid 5742 conflict but absent some such guidance I think I'd have to raise the issue then, so be no harm if we can resolve it now. Apologies if I missed one before, but I think this is the first such document to reach this stage, so now's a good time to sort this. PPS: That the organisation perhaps most likely to develop a QC is also one that could potentially benefit from quantum-resistance as a distraction, or that might have better QC based attacks, and that that organisation is pushing us towards this kind of work, and is also an organisation that reportedly has a gigantic (and IMO gigantically stupid) budget for making Internet security worse... remains a highly relevant consideration for me here. But I don't think that that is needed to justify asking for consensus guidance on when to depend on this stuff. On 16/03/16 19:45, Alexey Melnikov wrote: > This message starts 4 weeks RGLC on > draft-irtf-cfrg-xmss-hash-based-signatures-03.txt (XMSS: Extended > Hash-Based Signatures) which will end on April 13th. Please let chairs > know if you think the document is ready for IRSG review (and publication > as an RFC) or if you find any issues with it. > > Best Regards, > Kenny and Alexey > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… A. Huelsing
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Stephen Farrell
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Watson Ladd
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Gilles Van Assche
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Alexey Melnikov
- [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-based-si… Alexey Melnikov
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Gilles Van Assche
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Russ Housley
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… A. Huelsing
- Re: [Cfrg] [MASSMAIL]Re: RGLC on draft-irtf-cfrg-… Grigory Marshalko
- Re: [Cfrg] RGLC on draft-irtf-cfrg-xmss-hash-base… Stephen Farrell