Re: [saag] post-X509 cryptographic identities

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

Hiya,

On 12/02/2020 00:02, Eric Rescorla wrote:
> Well...
> It's already straightforward to integrate PQ key establishment into TLS w/o
> X.509.

I don't accept "straightforward" fwiw for the reason set
out at the end.

> It's also possible to do PQ authentication w/ Delegated Keys.

Yes, possibly so. Delegated keys is not IMO a part of x.509
but kind of extends that a little but is a new model.
Should such keys become common, that might get interesting.

> Finally, TLS supports new credential types via the "certiifcate_type"
> extension, so if you were to define some new kind of credential structure,
> TLS could take it easily. However, it's hard to see how that would actually
> fit into existing deployments of TLS, which are already rooted in the
> WebPKI; 

Yes, it would be hard to change the web from the WebPKI
being the only source of CA public keys for TLS. (Mind
you, the real root of trust is the browser or OS s/w update
mechanism which is not what many would call the WebPKI.)
Any also yes, any such change would have to be desirable
for those involved - there's no point in a supposedly
better technical thing that nobody relevant likes. (I
guess that's part of where DANE didn't work for the web
in the end.)

> if we wanted to add PQ signatures to TLS for the Web, we would do
> it by defining new algorithms for X.509.

I agree that that is the approach most likely to be the
initial one considered by those interested in the status
quo:-)

To be fair though, yes, the TLS issues would be fairly
straightforward if we had a new PQ algorithm that we all
considered good enough by itself. I don't believe that
that will be the case though, for fairly well rehearsed
and not-crazy reasons. And the mix of multiple algorithms
in one cert thing is just not x.509 IMO, no matter how
often someone tries to put that lipstick on that animal.
(And the same applies to stateful signature schemes.)

Cheers,
S.