IETF Logo Mail Archive

Re: [COSE] Proposal for multiple keys / signatures in CBOR Certificates

Derek Atkins <derek@ihtfp.com> Mon, 26 September 2022 18:53 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC0C6C14F72D for <cose@ietfa.amsl.com>; Mon, 26 Sep 2022 11:53:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hOXoKu22vwui for <cose@ietfa.amsl.com>; Mon, 26 Sep 2022 11:53:42 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC735C14CF05 for <cose@ietf.org>; Mon, 26 Sep 2022 11:53:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 3C81AE203F; Mon, 26 Sep 2022 14:53:41 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 08635-06; Mon, 26 Sep 2022 14:53:40 -0400 (EDT)
Received: by mail2.ihtfp.org (Postfix, from userid 48) id 25A88E2040; Mon, 26 Sep 2022 14:53:40 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1664218420; bh=MBBpCp1/uF+gCLbayL4XEr8eJzBoG+n758N43LcnvbI=; h=In-Reply-To:References:Date:Subject:From:To:Cc; b=Wq6bfLR8jKMh5Zan112mT0s6u8O6CCtr3xHXb0UaUt5TTXNYFbCPWogVIA6VNenHn Y6uMOJ93gYUDItu2OnCadRLvLaWZyyzQSQmetIu11myYstY3vC6qs/cjSlMPB62FPG zPXOQ5eUaphy6mkxyMTEwPZ/FaTiHz5UPronqhUw=
Received: from 192.168.248.239 (SquirrelMail authenticated user warlord) by mail2.ihtfp.org with HTTP; Mon, 26 Sep 2022 14:53:40 -0400
Message-ID: <229c8658d14f813207be24d091f03079.squirrel@mail2.ihtfp.org>
In-Reply-To: <157579.1664216900@dooku>
References: <cd7203f430896369ac39a6d435604447.squirrel@mail2.ihtfp.org> <1B05EE1E-398B-4D88-ADA4-89884813D784@vigilsec.com> <957512e0554c67559427f40c22e0f743.squirrel@mail2.ihtfp.org> <8e1b9e998a68bf7db0bf8f1fa5fe2ea9.squirrel@mail2.ihtfp.org> <157579.1664216900@dooku>
Date: Mon, 26 Sep 2022 14:53:40 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Russ Housley <housley@vigilsec.com>, cose@ietf.org
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/9olbSuqsLCFg4Qs0NadWU65QGaI>
Subject: Re: [COSE] Proposal for multiple keys / signatures in CBOR Certificates
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2022 18:53:47 -0000

Michael,

On Mon, September 26, 2022 2:28 pm, Michael Richardson wrote:
>
> Derek Atkins <derek@ihtfp.com> wrote:
>     > I just perused the LAMPS archives for the last 6 weeks (back to
> August
>     > 12) and do not see anything related to multiple keys and/or multiple
>     > signatures in a certificate.  Or at least none of the conversations
> or
>     > document titles are obviously on that topic.
>
>     > Could you please point me to the discussion thread?
>
> I think that it's the entire PQ certificate progress discussion.
> There is nothing really C509 specific at this point.
>
> I think that Russ is thinking that whatever we do in X509 ASN.1 extensions
> should be 1:1 with what you want, but OTH, I think you want to do
> something sooner.
>
> I think you should write some running code, submit an individual ID, and
> then tell us how it went :-)

I am happy to go this route (the running code will be the easiest part,
and honestly I'll have to do that anyway regardless of the approach
because it's our own implementation of C509).  However, I really wouldn't
want to spend the time on an I-D if there isn't at least someone who would
support a C509-native-only approach that may not be 1:1 compatible with
X509, especially as I'm pretty sure X.509 is not going to take the route
of "all parsers need to be updated for this to work at all".

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

v2.23.0 | Report a Bug | By Email