IETF Logo Mail Archive

[kitten] Re: [EXTERNAL] KEM support for PKINIT

Simo Sorce <simo@redhat.com> Tue, 24 March 2026 17:54 UTC

Return-Path: <simo@redhat.com>
X-Original-To: kitten@mail2.ietf.org
Delivered-To: kitten@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 56871D0CD6C3 for <kitten@mail2.ietf.org>; Tue, 24 Mar 2026 10:54:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id znifjyfAgn3M for <kitten@mail2.ietf.org>; Tue, 24 Mar 2026 10:54:25 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 999EAD0CCAE8 for <kitten@ietf.org>; Tue, 24 Mar 2026 10:48:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774374481; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Xzwmob1mk/hOScv/46JhuHXCXlN9IvPTIeZmOvbl1sY=; b=VwuBRPuOtz3ZRJKc1ZLP9PuBp2nGcGgDG6fu53Y8tLq9dRayU7ciBMGP4+lCiZbK4/ckPK W6uHNu0FGfxirgfPnt6d6ztfFBbY/FsRVHSVGZvECgsaA7ThgOtEide50rmKF94CZwFz6e N3gj/VrdL4FOC8c7E27prtWWt+AXH3g=
Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-684-F6m3dDL0NR2_Nn7zVQufdQ-1; Tue, 24 Mar 2026 13:47:59 -0400
X-MC-Unique: F6m3dDL0NR2_Nn7zVQufdQ-1
X-Mimecast-MFC-AGG-ID: F6m3dDL0NR2_Nn7zVQufdQ_1774374478
Received: by mail-qk1-f198.google.com with SMTP id af79cd13be357-8cb52a9c0eeso1997867285a.2 for <kitten@ietf.org>; Tue, 24 Mar 2026 10:47:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774374478; x=1774979278; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:to:from:subject:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Xzwmob1mk/hOScv/46JhuHXCXlN9IvPTIeZmOvbl1sY=; b=kAO8tu7qURnqoL0ClG7RnSa7kMRA3bF2bBny/wT1LEh+CZo1Mae+NuFTqrAy2rZbY+ /iFMo0XzvODJOYKzIwNbj1APhRNklfaJudx9DqMfohTkXcEmVXQ7eZYCVWKFm1UlvrXn 3km/zVoZ6yddocE7FKGp0f52UDBJCuHrHnbaZTTsBc55PR1NiraEFvNqM1MeJcnxzn+Z 7jTVFtY91NTgMbR2dL+jzAnZ7wYBFghJ6JNR1zY1FqbifzaY8bN/+XIXKu48vus/yela vD+FvncgaYCG8KFB5tCRmH+yZCtzRDZAttXD2anHdbEHpEfoCNAvI8+vUll029EMyzj2 Lc5g==
X-Gm-Message-State: AOJu0YzT8mUaFPGZbmBzwo5OfM+DbNVl4slfyMIM8wfAVcSQiVMRffp2 TdgDGok63cR6oA/RWFihGWSQ3mmMEnS30Px7e/q5A3oReHfnd+cBz3O/O3Xqjy3UtkwejZaNg7o 7bx/tR7x2cXRtOORW8oMmIZ2mcDngbJPZH7cYG0ke2kg+7Yt6T+joTG4Y+rlgQc/ziCRTIsEWtm hWvCzizXnqrUwZk7S6b7G5FnBoc5o=
X-Gm-Gg: ATEYQzwFrUj/i874hi3Q11G+Ys+JvPnET0OIQwsWueoRLOxB88KZ2GINpvTRlBmZM6O xhhBlGuTHmnq3EXyoKPNxQ2UIKUZpptCFKvoPd9wy+8MSzSwOy72XY3kOSxOdzElUdL2wkgjrNB dW81n1IjgBRIzdU2L4NXYqRjDNMjM8ygW9BJyrlVL18img7aXOVxAGgbeSDkTHwZBVebKCBdM+z DlIfLo/DTIcsf+gp/Wp90/JTE4JsN1LEObDzpZfukQY5Ci4xNpvy7o800zsJK11qTtB/8kxHaYS Nx9ZeMUOE6FVCtEQ/toCCgbwY/NkZ7N45qgah3p6FW5kmgSBWssYmMQYCEFpo4b7FERa96emrCl HV4FXS9Z4g17x+LCKI/uDCsDtHGcLOKgUgw==
X-Received: by 2002:a05:620a:31a4:b0:8cf:df8b:1e46 with SMTP id af79cd13be357-8d000f225damr66910585a.3.1774374478434; Tue, 24 Mar 2026 10:47:58 -0700 (PDT)
X-Received: by 2002:a05:620a:31a4:b0:8cf:df8b:1e46 with SMTP id af79cd13be357-8d000f225damr66903785a.3.1774374477844; Tue, 24 Mar 2026 10:47:57 -0700 (PDT)
Received: from m8.users.ipa.redhat.com ([158.222.141.151]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8cfc8f6791esm1110502485a.1.2026.03.24.10.47.56 for <kitten@ietf.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Mar 2026 10:47:57 -0700 (PDT)
Message-ID: <e9a2342a8bab7f8062c1527f8948a1a83d5e2eb3.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: kitten@ietf.org
Date: Tue, 24 Mar 2026 13:47:55 -0400
In-Reply-To: <abt4F3gvrd2W5npR@ubby>
References: <abNIUVGBcAlUwQiq@ubby> <abNQNHVnySugwSoT@ubby> <abP3s6yX8yAW2kMj@redhat.com> <CAAATZONkUB3aTqsU+N_QV3iaqof_p297kXAWOGFfxtD_0Y9ZaQ@mail.gmail.com> <abfGkjCOp70KXskO@redhat.com> <IA4PR21MB5507A6656A81AE843201340DA541A@IA4PR21MB5507.namprd21.prod.outlook.com> <abtM8/w74/MKD2/X@ubby> <DS4PR21MB6220457CC48C86DBDE5B5D5C9C4FA@DS4PR21MB6220.namprd21.prod.outlook.com> <abtXxkK9emHVMkQj@ubby> <DS4PR21MB6220198F660612D50720CBFF9C4FA@DS4PR21MB6220.namprd21.prod.outlook.com> <abt4F3gvrd2W5npR@ubby>
Organization: Red Hat
User-Agent: Evolution 3.56.2 (3.56.2-2.fc42)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: EQ2GbvqH0M15_ogKIuPpOg-AA6PBeZE4fHwYTSaXNgg_1774374478
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: YJ6FEMLLQGRU5WFOXV3NGP6EU6MR2LJE
X-Message-ID-Hash: YJ6FEMLLQGRU5WFOXV3NGP6EU6MR2LJE
X-MailFrom: simo@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-kitten.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [kitten] Re: [EXTERNAL] KEM support for PKINIT
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/IWl-xx9mUXmrMCJihPMdV0T18F8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Owner: <mailto:kitten-owner@ietf.org>
List-Post: <mailto:kitten@ietf.org>
List-Subscribe: <mailto:kitten-join@ietf.org>
List-Unsubscribe: <mailto:kitten-leave@ietf.org>

On Wed, 2026-03-18 at 23:14 -0500, Nico Williams wrote:
> On Thu, Mar 19, 2026 at 02:17:18AM +0000, Steve Syfuhs (AP) wrote:
> > We got off on a tangent again. :D
> 
> Right, so bringing this back on topic, please see the point about FAST
> being an absolute requirement if you reject TLS and also insist on
> supporting legacy smartcards.

FWIW while I think modernizing Symmetric Key Distribution is a good
idea in abstract, I think we should decouple it from this PKINIT
discussion.

And while I think FAST is a good thing, there is no requirement that
comes from PKINIT, legacy cards can be used until a CRQC emerges, after
which they will be have long been replaced with new cards using PQ
signatures.

Pretending old cards public keys are somehow secret will not work
anyway. And new cars won't have the problem.

So I suggest we focus on the narrow problem of updating PKINIT to
ensure it can be used with both ML-KEM for the exchange and ML-DSA
(pure) for signatures, and the rest we'll handle in some other thread.

-- 
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

v2.46.0 | Report a Bug | By Email | System Status