[hackathon] PQC X.509 115 Hackathon pre meeting minutes

[John Gray <John.Gray@entrust.com>]

Thanks for attending the pre-meeting today!  I think it was very productive.   For those of you who could not make it, here is a summary:


  1.  We decided to use gather (https://www.ietf.org/how/meetings/gather/) to connect the onsite participants with the remote participants at the following times:

  *   Saturday November 5th at 10am and 4pm GMT (London England Time)
  *   Sunday November 6th at 10am and 1pm GMT (London England Time) – The final presentations are at 2:00 pm on Sunday.

               I also updated the team schedule with the above information:   https://wiki.ietf.org/meeting/115/hackathon/teamschedule


  1.  To foster communication, we decided to use the Hackathon Github to share files, though perhaps there are better IETF tools that would allow us to do this easier.  Pushing and pulling code is always fun, but dropping in files is probably easier if there is such a tool that isn’t too onerous to setup.
  2.  We also talked a bit about the key formats themselves:
     *   For the PQ Public Key, we seemed to agree that having the key encoded as an OCTET_STRING agrees with the current draft standards (dilithium for example).   We understand it uses an extra 4 bytes when it is placed inside the standard SubjectPublicKeyInfo, but for the sake of compatibility it doesn’t seem like a big deal.    It is fairly trivial for encoders and decoders to unwrap these messages.   We can use the same procedure for the other algorithms (Falcon, SPHINCS+ and Kyber).
     *   For the Private Key, we discussed the issue of concatenation of the public key with the private key (as is done in openSSL by default).  Some software implementations need access to the public key.  I also learned from Markku that the Kyber private key already concatenates the full public key.   We seemed to agree that this structure should work in all cases:
PQPrivateKey ::= SEQUENCE {
         version                  Version,
         privateKeyAlgorithm      PrivateKeyAlgorithmIdentifier,
         privateKey               OCTET STRING,
         publicKey                [1] PQPublicKey OPTIONAL
     }

In the case of Kyber, the OPTIONAL publicKey can be omitted as it is already part of the private key.  For the other algorithms it can be included based on application need.   It is also recognized that many applications can just use their own PrivateKey format.  The above is only needed when interchanging private keys (PKCS#12 for example).


     *   For the OIDs, the key seems to be agility.   It seems a number of people are planning to support both sets of OIDS  I sent out earlier (the OQS OIDS and the Entrust OIDS for interoperability).   Carl mentioned he is planning to support all of them, I am working on supporting all of them at once, and I also learned from Michael Baentsch (lead developer for openSSL-oqs) that there is a way to override the OIDS with simple environment variable commands!    He put together this page for us:  at https://github.com/open-quantum-safe/oqs-provider/wiki/Interoperability#ietf-115-hackathon<https://urldefense.com/v3/__https:/github.com/open-quantum-safe/oqs-provider/wiki/Interoperability*ietf-115-hackathon__;Iw!!FJ-Y8qCqXTj2!Y1TcFQZhvY5KvgEPVzmY1p25bL-8eOus0rUxFZtcPdoedImCX9HE0-ZhqEe5exCN8fWgXF2zKZF3AdmZ$>    Ideally we want the ability to drop in whatever OIDs get standardized on short notice, so designing software with that in mind will help collaboration at this time.


  1.  A question on how interactive protocols (CMPv2, SSH, etc) could be tested came up.  Essentially we would need to be able to communicate over an internal network so a server/client can communicate.    Since the event is hosted by Cisco we are assuming there will be some way to accommodate this at the event?   😊
  2.  We also talked about composite, and a few people are interested in testing this format as well, so that is great!
  3.  We briefly touched on signatures, but didn’t get too far into the “hash-then-sign” weeds, as that question comes up.  I imagine it will keep coming up until this issue is fully resolved for the PQ context.   Markku mentioned the XMSS standards do some type of preformatting of the hash, so looking at that may offer some useful guidance.  For our hackathon I think we agree we will stick to full message signing for now.   Obviously there is no reason signing a hash of a message wouldn’t work,  from an algorithms perspective it is just a smaller blob of bits being signed.   😊

I think that about covers everything we talked about today.

See you at the Hackathon on Saturday if you can make it either on gather (online) or in person.

Cheers,

John Gray

From: John Gray
Sent: Tuesday, October 25, 2022 10:16 PM
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; 'LAMPS' <spasm@ietf.org>; pqc@ietf.org; hackathon@ietf.org
Cc: info@baentsch.ch; Felipe Ventura <Felipe.Ventura@entrust.com>; kris@amongbytes.com; Railean, Alexander <alexander.railean@siemens.com>; Kretschmer, Andreas <andreas.kretschmer@siemens.com>; Tim Hollebeek <tim.hollebeek@digicert.com>; Max Pala <M.Pala@cablelabs.com>; Michael Richardson <mcr@sandelman.ca>; Sofía Celi <cherenkov@riseup.net>; alexandre.petrescu@gmail.com; Klaußner, Jan <Jan.Klaussner@d-trust.net>; Florence D <Florence.D@ncsc.gov.uk>; Vaira, Antonio <antonio.vaira@siemens.com>; Serge Mister <Serge.Mister@entrust.com>; David Hook <dgh@cryptoworkshop.com>
Subject: PQC X.509 115 Hackathon pre meeting October 31st at 10am EST

I realize I failed to mention a time for our PQC x.509 pre-hackathon meeting.   This is the first hackathon I will be attending, so please forgive my newness of trying to organize this hackathon event…  😊

I am hoping it will be a fun way for us to collaborate with these new PQC key formats.   😊

For the pre-hackathon meeting we will be in gather.town on Monday the 31st in the Hackathon room table G at 10:00am EST (Easter Standard Time).
https://www.ietf.org/how/meetings/gather/

I have made up some slides, but it looks like they were blocked.   My colleague Mike Ounsworth copied the content into this google document

https://docs.google.com/document/d/1A2-D82du0qJjygvBuOlG8Xao3MzDYz1pRDzjT9eY6ls/edit?usp=sharing

Hopefully I covered everything this time.

If you can’t make this pre-meeting that is okay, we look forward to seeing you at the PQC X.509 Hackathon


Cheers,

John Gray
Entrust

From: John Gray
Sent: Friday, October 21, 2022 6:33 PM
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org<mailto:Mike.Ounsworth=40entrust.com@dmarc.ietf.org>>; 'LAMPS' <spasm@ietf.org<mailto:spasm@ietf.org>>; pqc@ietf.org<mailto:pqc@ietf.org>; hackathon@ietf.org<mailto:hackathon@ietf.org>
Cc: info@baentsch.ch<mailto:info@baentsch.ch>; Felipe Ventura <Felipe.Ventura@entrust.com<mailto:Felipe.Ventura@entrust.com>>; kris@amongbytes.com<mailto:kris@amongbytes.com>; Railean, Alexander <alexander.railean@siemens.com<mailto:alexander.railean@siemens.com>>; Kretschmer, Andreas <andreas.kretschmer@siemens.com<mailto:andreas.kretschmer@siemens.com>>; Tim Hollebeek <tim.hollebeek@digicert.com<mailto:tim.hollebeek@digicert.com>>; Max Pala <M.Pala@cablelabs.com<mailto:M.Pala@cablelabs.com>>; Michael Richardson <mcr@sandelman.ca<mailto:mcr@sandelman.ca>>; Sofía Celi <cherenkov@riseup.net<mailto:cherenkov@riseup.net>>; alexandre.petrescu@gmail.com<mailto:alexandre.petrescu@gmail.com>; Klaußner, Jan <Jan.Klaussner@d-trust.net<mailto:Jan.Klaussner@d-trust.net>>; Florence D <Florence.D@ncsc.gov.uk<mailto:Florence.D@ncsc.gov.uk>>; Vaira, Antonio <antonio.vaira@siemens.com<mailto:antonio.vaira@siemens.com>>; Serge Mister <Serge.Mister@entrust.com<mailto:Serge.Mister@entrust.com>>; David Hook <dgh@cryptoworkshop.com<mailto:dgh@cryptoworkshop.com>>
Subject: RE: PQC X.509 115 Hackathon

Thanks for your interesting in the PQ Keys and Signatures in X.509 / PKIX Hackathon.   I have tried to cc those people who have expressed interest in the hackathon either via email or by discussion.   Some of you may already know each other, some of you may not.   If I forgot to include you, I apologize.   You are welcome to attend.

We are planning a pre-hackathon meeting Monday October 31st in the IETF’s gather.town in the Hackathon room table G.
https://www.ietf.org/how/meetings/gather/

This will allow everyone to test their A/V and so we can sync up about what we want to hack at.     If you can’t make the meeting, that is okay, let me know and I will send you notes.

Suggested Agenda:

  1.  Introductions
  2.  Discuss Scope (What do people want to test).  I put together this slide deck today which covers much of the scope that I envision.  Hopefully it goes through email without an issue.   Obviously it is not exhaustive, but gives a good starting point for those who may just be starting to take a look at this.

Cheers,

John Gray
Entrust



From: John Gray
Sent: Wednesday, October 12, 2022 8:20 PM
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org<mailto:Mike.Ounsworth=40entrust.com@dmarc.ietf.org>>; 'LAMPS' <spasm@ietf.org<mailto:spasm@ietf.org>>; pqc@ietf.org<mailto:pqc@ietf.org>; hackathon@ietf.org<mailto:hackathon@ietf.org>
Subject: RE: PQC X.509 115 Hackathon

Thank you for all your comments and suggestions in regards to a PQC X.509 Hackathon.   We have added the details of this hackathon topic to the IETF Hackathon Wiki located here as ‘PQ keys and signatures in X.509 / PKIX’

https://wiki.ietf.org/en/meeting/115/hackathon

We hope that at least one author for each of these drafts is able to join in some capacity so we can attempt to come to a consensus on the key and signature formats of the PQ finalist algorithms.


  *   https://datatracker.ietf.org/doc/html/draft-uni-qsckeys-00.html
  *   https://datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/
We plan to distribute a set of OIDS we will use to identify the key and signature formats (we need those to interoperate with the various X.509 structures like PublicKeyInfo, PrivateKeyInfo, X509Certificate, PKCS10, X509CRL, OSCP, CMS, etc).   Ideally we suggest that these are done in an agile way in software to make it easier to plug in the real OID values once they have been officially registered.  We will use formats already suggested in existing drafts whenever possible.

I know there have already been multiple key format proposals for some of the PQ key and Signature drafts, so we can use different OIDs to designate different formats if we want to test with different key and signature formats for the same algorithms.   If there are key and signature formats that aren’t included in the list we provide, please suggest and add to the list.

I plan to add this information into the IETF GitHub repository in the next week, so stay tuned!

If there is something you think we have missed, please let us know.

Cheers,

John Gray
Entrust




From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Mike Ounsworth
Sent: Tuesday, October 4, 2022 9:01 PM
To: 'LAMPS' <spasm@ietf.org<mailto:spasm@ietf.org>>; pqc@ietf.org<mailto:pqc@ietf.org>
Subject: [EXTERNAL] [lamps] PQC X.509 115 Hackathon

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Hi LAMPS and people interested in PQC!

As suggested at 114, my colleague John Gray and I would like to do a 115 Hackathon on PQ keys and signatures in X.509 / PKIX.

We are suggesting to play with Dilithium, Falcon, Sphincs+, and Composite signing algorithms in Certs, CRLs, CSRs, PKCS#12s, CMS SignedData, maybe OCSP Responses, maybe Timestamping, maybe CMP. We can bring: the Entrust Toolkit (which we can hack at), Bounce Castle, OpenQuantumSafe-openssl, OpenCA (easier if Max Pala is there, but we can probably figure out how to build it).

The point of the hackathon, I think, is going to be OIDs, and public key / private key formats (ex.: the differences between Dilithium and Falcon encodings in draft-uni-qsckeys, and draft-massimo-lamps-pq-sig-certificates).



Question 1: are others interested in joining us at the hackathon? (no point is signing up for a hackathon spot if we’re the only ones there)

Question 2: whether or not you're joining, what PQ X.509 / PKIX things would you like to see working with Dilithium, Falcon, Sphincs+, Composite?


---
Mike Ounsworth
Software Security Architect, Entrust

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.