IETF Logo Mail Archive

Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 15 March 2022 19:15 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 596C23A1683 for <cose@ietfa.amsl.com>; Tue, 15 Mar 2022 12:15:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jT62tOaHbi5F for <cose@ietfa.amsl.com>; Tue, 15 Mar 2022 12:15:56 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 069123A161E for <cose@ietf.org>; Tue, 15 Mar 2022 12:15:55 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 26D7A195FE for <cose@ietf.org>; Tue, 15 Mar 2022 21:15:53 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id gZzc7iseiE0b for <cose@ietf.org>; Tue, 15 Mar 2022 21:15:52 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id EC25B292 for <cose@ietf.org>; Tue, 15 Mar 2022 21:15:51 +0200 (EET)
Date: Tue, 15 Mar 2022 21:15:51 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose@ietf.org
Message-ID: <YjDl50YvNgucchh5@LK-Perkele-VII2.locald>
References: <SA2PR00MB1002DE43864B01F70546A691F50F9@SA2PR00MB1002.namprd00.prod.outlook.com> <CAN8C-_Jo_-=Jpava0db6BgR4j_BEyZp_3hN6VEv7MJuBwCsPQA@mail.gmail.com> <1aab6d4a-85b4-dc4d-38c8-db0e6084453c@gmail.com> <CAGJKSNRr+e8oHZuWVK1uKXj4TrCgHtmsFsBvwUu_Hx1q6TABsw@mail.gmail.com> <b9ada203-61e3-d1c4-2646-a109f6f670e4@gmail.com> <CAGJKSNRb1SvBn8POc5gs2YNjMb6ubEq-f=_=4Vgjnc5rWPhjdg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CAGJKSNRb1SvBn8POc5gs2YNjMb6ubEq-f=_=4Vgjnc5rWPhjdg@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/TQe_tOM6G6RijkUPYvgn2aVTVvY>
Subject: Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2022 19:15:59 -0000

On Tue, Mar 15, 2022 at 11:09:13AM -0400, Mike Prorock wrote:
> On Tue, Mar 15, 2022 at 8:54 AM Anders Rundgren <
> anders.rundgren.net@gmail.com> wrote:
> 
> > On 2022-03-15 13:20, Mike Prorock wrote:
> > > Anders,
> > > What are your thoughts on a kty for hash based, one for lattice, and
> > then later for isogeny or other families as required?  That seems in line
> > with the definition of kty from 4.1 of the jwk rfc "The 'kty' (key type)
> > parameter identifies the cryptographic algorithm family used with the key"
> >
> > Hi Mike, I must confess that my insights in the actual algorithms are
> > fairly modest (big understatement); I see this exclusively from an
> > architectural point of view.
> >
> > To avoid talking in riddles, consider the initial part of current X.509
> > public key definitions:
> >
> > SEQUENCE {
> >    SEQUENCE {
> >      OBJECT IDENTIFIER rsaEncryption (1.2.840.113549.1.1.1)
> >
> >
> > SEQUENCE {
> >    SEQUENCE {
> >      OBJECT IDENTIFIER ecPublicKey (1.2.840.10045.2.1)
> >      OBJECT IDENTIFIER NIST-P-256 (1.2.840.10045.3.1.7)
> >
> >
> > SEQUENCE {
> >    SEQUENCE {
> >      OBJECT IDENTIFIER Ed25519 (1.3.101.112)
> >
> > X.509 public keys follow the top-level identifier concept I'm advocating.
> > I would be very surprised if the PKIX folks lump all known PQ key
> > algorithms under a single identifier even if it would be technically
> > feasible.  If we want COSE/JOSE keys to eventually become first class
> > citizens (like X.509) in cryptographic subsystems, a rethink may be
> > necessary.
> >
> > Yes, taking on such a scheme will require a bunch of RFCs but they would
> > all be very short.
> >
> > "One key container to rule them all!"  I hope not :)
>
> That is very helpful.  I have similar thoughts, and setting a 'kty' by
> family of algorithm, and in the post quantum case also requiring 'alg' to
> specify the actual algorithm and parameter set within that family, is very
> much in line with what you outlined.

X.509 does not actually work that way. X.509 has no equivalent to the
COSE/JOSE alg parameter in keys. For some key types, you are not going
to be able to use them in more than one way. E.g., you can't perform
anything but Ed25519 with Ed25519 key. But for many of the key types,
(I think this includes even X25519 keys, but it definitely includes
things like RSA and EC keys) there are many operations one can perform
(yes, it is unsound).


And turns out that one can't emulate the model X.509 uses in COSE/JOSE
by allowing second-chance dispatch on OKP crv (which is something an
implementation could just decide to do), due to the way COSE and
especially JOSE handle ECDSA.
 


-Ilari

v2.8.7 | Report a Bug | By Email