Re: [hackathon] PQC X.509 115 Hackathon pre meeting minutes

[Michael Baentsch <info@baentsch.ch>]

Thanks, John for the summary & apologies for not having been able to 
participate in the pre-meeting yesterday.

FYI/one correction to the below: The "OID-by-env-var" option is only 
available for 
[oqsprovider](https://github.com/open-quantum-safe/oqs-provider), the 
OpenSSL3 (binary/standard OSSL3-API) plugin for liboqs (for which I am 
the lead developer). It is _not_ available for 
[oqs-openssl](https://github.com/open-quantum-safe/openssl), the 
OpenSSL1.1.1 fork fusing liboqs with libssl/libcrypto calls to provide 
PQ capabilities (for which I am only a "late" contributor: That fork has 
been implemented many years ago, i.e., has a totally different code base 
& TLS/X.509 integration approach than oqsprovider). Both only share 
their use of liboqs.

Regards,

--Michael

Am 01.11.22 um 04:33 schrieb John Gray:
>
> Thanks for attending the pre-meeting today!  I think it was very 
> productive.   For those of you who could not make it, here is a summary:
>
>  1. We decided to use gather
>     (https://www.ietf.org/how/meetings/gather/
>     <https://www.ietf.org/how/meetings/gather/>) to connect the onsite
>     participants with the remote participants at the following times:
>
>   * Saturday November 5^th at 10am and 4pm GMT (London England Time)
>   * Sunday November 6^th at 10am and 1pm GMT (London England Time) –
>     The final presentations are at 2:00 pm on Sunday.
>
>                I also updated the team schedule with the above 
> information: https://wiki.ietf.org/meeting/115/hackathon/teamschedule
>
>  2. To foster communication, we decided to use the Hackathon Github to
>     share files, though perhaps there are better IETF tools that would
>     allow us to do this easier.  Pushing and pulling code is always
>     fun, but dropping in files is probably easier if there is such a
>     tool that isn’t too onerous to setup.
>  3. We also talked a bit about the key formats themselves:
>      1. For the PQ Public Key, we seemed to agree that having the key
>         encoded as an OCTET_STRING agrees with the current draft
>         standards (dilithium for example).   We understand it uses an
>         extra 4 bytes when it is placed inside the standard
>         SubjectPublicKeyInfo, but for the sake of compatibility it
>         doesn’t seem like a big deal.    It is fairly trivial for
>         encoders and decoders to unwrap these messages.   We can use
>         the same procedure for the other algorithms (Falcon, SPHINCS+
>         and Kyber).
>      2. For the Private Key, we discussed the issue of concatenation
>         of the public key with the private key (as is done in openSSL
>         by default).  Some software implementations need access to the
>         public key.  I also learned from Markku that the Kyber private
>         key already concatenates the full public key.   We seemed to
>         agree that this structure should work in all cases:
>
> PQPrivateKey ::= SEQUENCE {
>
>          version Version,
>
>          privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
>
>          privateKey OCTET STRING,
>
>          publicKey                [1] PQPublicKey OPTIONAL
>
>      }
>
> In the case of Kyber, the OPTIONAL publicKey can be omitted as it is 
> already part of the private key.  For the other algorithms it can be 
> included based on application need.   It is also recognized that many 
> applications can just use their own PrivateKey format.  The above is 
> only needed when interchanging private keys (PKCS#12 for example).
>
>      3. For the OIDs, the key seems to be agility.   It seems a number
>         of people are planning to support both sets of OIDS  I sent
>         out earlier (the OQS OIDS and the Entrust OIDS for
>         interoperability).   Carl mentioned he is planning to support
>         all of them, I am working on supporting all of them at once,
>         and I also learned from Michael Baentsch (lead developer for
>         openSSL-oqs) that there is a way to override the OIDS with
>         simple environment variable commands!    He put together this
>         page for us: at
>         https://github.com/open-quantum-safe/oqs-provider/wiki/Interoperability#ietf-115-hackathon
>         <https://urldefense.com/v3/__https:/github.com/open-quantum-safe/oqs-provider/wiki/Interoperability*ietf-115-hackathon__;Iw!!FJ-Y8qCqXTj2!Y1TcFQZhvY5KvgEPVzmY1p25bL-8eOus0rUxFZtcPdoedImCX9HE0-ZhqEe5exCN8fWgXF2zKZF3AdmZ$>
>          Ideally we want the ability to drop in whatever OIDs get
>         standardized on short notice, so designing software with that
>         in mind will help collaboration at this time.
>
>  4. A question on how interactive protocols (CMPv2, SSH, etc) could be
>     tested came up.  Essentially we would need to be able to
>     communicate over an internal network so a server/client can
>     communicate.    Since the event is hosted by Cisco we are assuming
>     there will be some way to accommodate this at the event? 😊
>  5. We also talked about composite, and a few people are interested in
>     testing this format as well, so that is great!
>  6. We briefly touched on signatures, but didn’t get too far into the
>     “hash-then-sign” weeds, as that question comes up.  I imagine it
>     will keep coming up until this issue is fully resolved for the PQ
>     context.   Markku mentioned the XMSS standards do some type of
>     preformatting of the hash, so looking at that may offer some
>     useful guidance.  For our hackathon I think we agree we will stick
>     to full message signing for now.   Obviously there is no reason
>     signing a hash of a message wouldn’t work,  from an algorithms
>     perspective it is just a smaller blob of bits being signed. 😊
>
> I think that about covers everything we talked about today.
>
> See you at the Hackathon on Saturday if you can make it either on 
> gather (online) or in person.
>
> Cheers,
>
> John Gray
>
> *From:* John Gray
> *Sent:* Tuesday, October 25, 2022 10:16 PM
> *To:* Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; 
> 'LAMPS' <spasm@ietf.org>; pqc@ietf.org; hackathon@ietf.org
> *Cc:* info@baentsch.ch; Felipe Ventura <Felipe.Ventura@entrust.com>; 
> kris@amongbytes.com; Railean, Alexander 
> <alexander.railean@siemens.com>; Kretschmer, Andreas 
> <andreas.kretschmer@siemens.com>; Tim Hollebeek 
> <tim.hollebeek@digicert.com>; Max Pala <M.Pala@cablelabs.com>; Michael 
> Richardson <mcr@sandelman.ca>; Sofía Celi <cherenkov@riseup.net>; 
> alexandre.petrescu@gmail.com; Klaußner, Jan 
> <Jan.Klaussner@d-trust.net>; Florence D <Florence.D@ncsc.gov.uk>; 
> Vaira, Antonio <antonio.vaira@siemens.com>; Serge Mister 
> <Serge.Mister@entrust.com>; David Hook <dgh@cryptoworkshop.com>
> *Subject:* PQC X.509 115 Hackathon pre meeting October 31st at 10am EST
>
> I realize I failed to mention a time for our PQC x.509 pre-hackathon 
> meeting.   This is the first hackathon I will be attending, so please 
> forgive my newness of trying to organize this hackathon event… 😊
>
> I am hoping it will be a fun way for us to collaborate with these new 
> PQC key formats. 😊
>
> For the pre-hackathon meeting we will be in gather.town on Monday the 
> 31^st in the Hackathon room table G at 10:00am EST (Easter Standard 
> Time).
>
> https://www.ietf.org/how/meetings/gather/
>
> I have made up some slides, but it looks like they were blocked.   My 
> colleague Mike Ounsworth copied the content into this google document
>
> https://docs.google.com/document/d/1A2-D82du0qJjygvBuOlG8Xao3MzDYz1pRDzjT9eY6ls/edit?usp=sharing
>
> Hopefully I covered everything this time.
>
> If you can’t make this pre-meeting that is okay, we look forward to 
> seeing you at the PQC X.509 Hackathon
>
> Cheers,
>
> John Gray
>
> Entrust
>
> *From:* John Gray
> *Sent:* Friday, October 21, 2022 6:33 PM
> *To:* Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; 
> 'LAMPS' <spasm@ietf.org>; pqc@ietf.org; hackathon@ietf.org
> *Cc:* info@baentsch.ch; Felipe Ventura <Felipe.Ventura@entrust.com>; 
> kris@amongbytes.com; Railean, Alexander 
> <alexander.railean@siemens.com>; Kretschmer, Andreas 
> <andreas.kretschmer@siemens.com>; Tim Hollebeek 
> <tim.hollebeek@digicert.com>; Max Pala <M.Pala@cablelabs.com>; Michael 
> Richardson <mcr@sandelman.ca>; Sofía Celi <cherenkov@riseup.net>; 
> alexandre.petrescu@gmail.com; Klaußner, Jan 
> <Jan.Klaussner@d-trust.net>; Florence D <Florence.D@ncsc.gov.uk>; 
> Vaira, Antonio <antonio.vaira@siemens.com>; Serge Mister 
> <Serge.Mister@entrust.com>; David Hook <dgh@cryptoworkshop.com>
> *Subject:* RE: PQC X.509 115 Hackathon
>
> Thanks for your interesting in the PQ Keys and Signatures in X.509 / 
> PKIX Hackathon.   I have tried to cc those people who have expressed 
> interest in the hackathon either via email or by discussion.   Some of 
> you may already know each other, some of you may not.   If I forgot to 
> include you, I apologize.   You are welcome to attend.
>
> We are planning a pre-hackathon meeting Monday October 31st in the 
> IETF’s gather.town in the Hackathon room table G.
>
> https://www.ietf.org/how/meetings/gather/
>
> This will allow everyone to test their A/V and so we can sync up about 
> what we want to hack at.     If you can’t make the meeting, that is 
> okay, let me know and I will send you notes.
>
> Suggested Agenda:
>
>  1. Introductions
>  2. Discuss Scope (What do people want to test).  I put together this
>     slide deck today which covers much of the scope that I envision. 
>     Hopefully it goes through email without an issue.   Obviously it
>     is not exhaustive, but gives a good starting point for those who
>     may just be starting to take a look at this.
>
> Cheers,
>
> John Gray
>
> Entrust
>
> *From:* John Gray
> *Sent:* Wednesday, October 12, 2022 8:20 PM
> *To:* Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; 
> 'LAMPS' <spasm@ietf.org>; pqc@ietf.org; hackathon@ietf.org
> *Subject:* RE: PQC X.509 115 Hackathon
>
> Thank you for all your comments and suggestions in regards to a PQC 
> X.509 Hackathon.   We have added the details of this hackathon topic 
> to the IETF Hackathon Wiki located here as ‘*PQ keys and signatures in 
> X.509 / PKIX*’
>
> https://wiki.ietf.org/en/meeting/115/hackathon
>
> We hope that at least one author for each of these drafts is able to 
> join in some capacity so we can attempt to come to a consensus on the 
> key and signature formats of the PQ finalist algorithms.
>
>   * https://datatracker.ietf.org/doc/html/draft-uni-qsckeys-00.html
>     <https://datatracker.ietf.org/doc/html/draft-uni-qsckeys-00.html>
>   * https://datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/
>     <https://datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/>
>
> We plan to distribute a set of OIDS we will use to identify the key 
> and signature formats (we need those to interoperate with the various 
> X.509 structures like PublicKeyInfo, PrivateKeyInfo, X509Certificate, 
> PKCS10, X509CRL, OSCP, CMS, etc).   Ideally we suggest that these are 
> done in an agile way in software to make it easier to plug in the real 
> OID values once they have been officially registered.  We will use 
> formats already suggested in existing drafts whenever possible.
>
> I know there have already been multiple key format proposals for some 
> of the PQ key and Signature drafts, so we can use different OIDs to 
> designate different formats if we want to test with different key and 
> signature formats for the same algorithms.   If there are key and 
> signature formats that aren’t included in the list we provide, please 
> suggest and add to the list.
>
> I plan to add this information into the IETF GitHub repository in the 
> next week, so stay tuned!
>
> If there is something you think we have missed, please let us know.
>
> Cheers,
>
> John Gray
>
> Entrust
>
> *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of *Mike Ounsworth
> *Sent:* Tuesday, October 4, 2022 9:01 PM
> *To:* 'LAMPS' <spasm@ietf.org>; pqc@ietf.org
> *Subject:* [EXTERNAL] [lamps] PQC X.509 115 Hackathon
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know 
> the content is safe.
>
> ------------------------------------------------------------------------
>
> Hi LAMPS and people interested in PQC!
>
> As suggested at 114, my colleague John Gray and I would like to do a 
> 115 Hackathon on PQ keys and signatures in X.509 / PKIX.
>
> We are suggesting to play with Dilithium, Falcon, Sphincs+, and 
> Composite signing algorithms in Certs, CRLs, CSRs, PKCS#12s, CMS 
> SignedData, maybe OCSP Responses, maybe Timestamping, maybe CMP. We 
> can bring: the Entrust Toolkit (which we can hack at), Bounce Castle, 
> OpenQuantumSafe-openssl, OpenCA (easier if Max Pala is there, but we 
> can probably figure out how to build it).
>
> The point of the hackathon, I think, is going to be OIDs, and public 
> key / private key formats (ex.: the differences between Dilithium and 
> Falcon encodings in draft-uni-qsckeys, and 
> draft-massimo-lamps-pq-sig-certificates).
>
> Question 1: are others interested in joining us at the hackathon? (no 
> point is signing up for a hackathon spot if we’re the only ones there)
>
> Question 2: whether or not you're joining, what PQ X.509 / PKIX things 
> would you like to see working with Dilithium, Falcon, Sphincs+, Composite?
>
> ---
> Mike Ounsworth
> Software Security Architect, Entrust
>
> /Any email and files/attachments transmitted with it are confidential 
> and are intended solely for the use of the individual or entity to 
> whom they are addressed. If this message has been sent to you in 
> error, you must not copy, distribute or disclose of the information it 
> contains. _Please notify Entrust immediately_ and delete the message 
> from your system./
>