[openpgp] Re: Fw: New Version Notification for draft-ietf-openpgp-pqc-05.txt

Aron Wussler <aron@wussler.it> Wed, 23 October 2024 05:47 UTC

Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8FD3C1D52EA for <openpgp@ietfa.amsl.com>; Tue, 22 Oct 2024 22:47:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wQO2JuiqGa6c for <openpgp@ietfa.amsl.com>; Tue, 22 Oct 2024 22:47:17 -0700 (PDT)
Received: from mail-40136.proton.ch (mail-40136.proton.ch [185.70.40.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86746C18DB82 for <openpgp@ietf.org>; Tue, 22 Oct 2024 22:47:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail; t=1729662433; x=1729921633; bh=cMeatESgO3gTshH+tsOfXtniwDE0h9K6ny4b7BwMhtQ=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=J5HyWw74AQEscfCRHD9ndTNDOQLbrP0Q6oahkctXZMvb2BWxa5q2oXUsfHMYk5T9X rX/ZmCQz5Ux4tUKCP+n/pL4XbfiTfMhvMtK3k7PY0sZYA7x7COJeuNdFmWPq4P2JFN tnLLWqUjj4+4Rlpc8dVSSBPhhdDAXYSvz4fkwvaec+ffxgrhSlNxVmu9BMuP95JqxA 539G+heVxHOgW1aTY43LGQWFJB+N/1QyLKhQIUwBAQntHGXE+kaL0WUX3DsY9oDYkQ wUVfRQDpbGE3X+DntI93VaBNkeYHUd1BnyjFOkmz8/avm8ushyn3xh1lxZrUNxtu/x xww3mKqa/cBIg==
Date: Wed, 23 Oct 2024 05:47:09 +0000
To: Simo Sorce <simo@redhat.com>
From: Aron Wussler <aron@wussler.it>
Message-ID: <ZJRdviAbKNAn5vagDb0tt4IyBGe1YAZ6-UFM_qYnWlgQGhkxcuGzjIhBgVg5vyQ4430rxz2KYbvsm6TFvAGCYLuo_zX9U9FI6kJBlSxyUAc=@wussler.it>
In-Reply-To: <e7d89e79829bb2af14d45c18195a77d31b93ffe0.camel@redhat.com>
References: <172952468697.1996193.18317768871302868182@dt-datatracker-78dc5ccf94-w8wgc> <lgzJzv6GX9ZQ_K3bRqIi9ASxbjwaZFahcghzBaHLReMHIfVpudSlnWe9wCrKniruARt3AzOpEkT8WBWjO4N1ksP9LLcq4pBu0VhrzOyqbJE=@wussler.it> <a40dad1bdb5f67586cff31469ee08d58accef8d5.camel@redhat.com> <e7d89e79829bb2af14d45c18195a77d31b93ffe0.camel@redhat.com>
Feedback-ID: 10883271:user:proton
X-Pm-Message-ID: 14cae346b1bace26d8d6b2cc14d61498e02141cf
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------9ba9fbbfd8ee31ef32beaccdb93418243c66af76cbd90453e8fa40a261047f4d"; charset="utf-8"
Message-ID-Hash: PVSMYZWETRYIIVTLFWJ55Y3WX7Q7NKUG
X-Message-ID-Hash: PVSMYZWETRYIIVTLFWJ55Y3WX7Q7NKUG
X-MailFrom: aron@wussler.it
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "openpgp@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Fw: New Version Notification for draft-ietf-openpgp-pqc-05.txt
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/BsBpB0B9dWPyYR0VTyNmaT_RiJs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi Simo,

Thank you for having a look :)

Since version 03, we moved the NIST and Brainpool curves to a different specification [1] to make this draft less controversial and slimmer.
I understand your concern with HW modules, and given that additional codepoints can be standardized with expert review (no need for an RFC), I feel like the split draft approach caters to everyone, without slowing the main draft down.

As a side note, the KEM proposed in this draft should be FIPS certifiable: FIPS 203 is now out, and the key derivation / combination can be seen as an SP 800-108 derivation of the resulting secret. The CNSA 2.0 guideline does not require hybrids.

Cheers,
Aron

[1] https://github.com/openpgp-pqc/draft-ehlen-openpgp-nist-bp-comp/tree/main

--
Aron Wussler
Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930



On Tuesday, 22 October 2024 at 22:49, Simo Sorce <simo@redhat.com> wrote:

> On Tue, 2024-10-22 at 16:42 -0400, Simo Sorce wrote:
> 

> > Hi Aaron,
> > 

> > great work on the update!
> > 

> > That said I have to ask is there is apce for adding NIST ECC curves
> > here.
> > 

> > While Ed25519/Ed448 have been recently approved for use in FIPS modules
> > via revision 5 of FIPS-186 there is yet no approval for the use of
> > X25519/X448 as SP 800-56A has not been extended to cover them.
> > 

> > It would be useful if at least one KEM option would be defined using
> > NIST curves for the classic algorithm part.
> > 

> > Ideally bot KEM and Signatures can use the classic NIST approved
> > curves, as adding an Edwards curve implementation to existing modules
> > may not be trivial and time would be better spent properly implementing
> > ML-DSA and ML-KEM while reusing a proven and hardened P256/P384/P521
> > implementation for the classic part.
> > 

> > I understand the desire to avoid too many combinations, but a standard
> > should also look at the practicalities of deployment IMHO.
> > 

> > HTH,
> > Simo.
> 

> 

> That 'apce' above is a typo for "space" ... sigh.
> 

> And I forgot to add that if classic NIST curves where available, then
> existing and certified HW tokens that implement those curves could be
> used in conjunction with a non certified software implementation of ML-
> KEM and ML-DSA resulting still in a FIPS compliant tool as for KEM
> combiner the PQ part is just seen as additional data and does not
> "break" FIPS compliance, while for Signatures the certified signature
> function is sufficient to claim a compliant verification is done.
> 

> This means existing tokens could be used while we wait for new ones
> that can provide certified ML-KEM and ML-DSA implementations.
> 

> Simo.
> 

> --
> Simo Sorce
> Distinguished Engineer
> RHEL Crypto Team
> Red Hat, Inc
> 

> _______________________________________________
> openpgp mailing list -- openpgp@ietf.org
> To unsubscribe send an email to openpgp-leave@ietf.org