Re: [saag] SSH & Ntruprime
Paul Wouters <paul.wouters@aiven.io> Wed, 10 April 2024 18:01 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DBCDC14F600 for <saag@ietfa.amsl.com>; Wed, 10 Apr 2024 11:01:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PY2RzHH3WTEA for <saag@ietfa.amsl.com>; Wed, 10 Apr 2024 11:01:20 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E505C14F601 for <saag@ietf.org>; Wed, 10 Apr 2024 11:01:20 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a519ef3054bso669363266b.1 for <saag@ietf.org>; Wed, 10 Apr 2024 11:01:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1712772078; x=1713376878; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=RiFV/2muVCA2CPSxnBZbo0AyWpaUDv/S4czow3VSZ1Q=; b=qw89P5AZipNg8pwpDkAS3k+74K9Il2gOKOo8+pphUB/8NCEqx1t6NoCnPcy5jYdOi7 inyqBxVw7qzyuZc5EUZI0TpSsx0YzkYLe11b8cCyZaMLsL2pVdVkn3t9cVVGCaWskmcM 3pjWKqV53/+nBi5HJyUMw6Gdg/Kfl6xLmv+Xo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712772078; x=1713376878; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RiFV/2muVCA2CPSxnBZbo0AyWpaUDv/S4czow3VSZ1Q=; b=fSaHbTB0CzVOcFnBkd31q0UgHCd7axPojZK1PfYnUS2GP1fK2UgFmjwVf1eCKBKp7R XUqzSWaIyGqkW0OtGjjp3G5XXyqsyH0+0OyxO+ASF1qZOTzx+WotDHDhakMzghdeNWeo /EI9peoY9+ipq17Vu/cN+6Ps+p64PT2RZi5M36UL0cd/CYdhIzGU6n2XiYniUuXZtdbC Na2BbMs5Vr1Ssjo0MJ+GgAsZrk3rNnxFa/+C7J0jRkD90RsiqL/Vumf+ZzT4RKpEAsBl bwQ3MV+eLGiH4jGYHcusRB+Z0sU/L+R3cFOZUOSu5CimS/1RyRlBbucWKHaqAhWDYtEL fNsQ==
X-Gm-Message-State: AOJu0YyEtCX0VusBE6leoKDK3yBeLos2hc5MmatDpF4CdbMc0eWXtVh+ oA8gWZIjDWoZ6zSjW2sP7tidjb6/3V9YNSn51F7wXIVqLT/+kq1+Nq+0GZf7v3fcAyeIyDi0t0j CiwjsOtv7G6w40k9vWtxnvQepnFQ7DazHeHQAQY/3w673LPeaqJU=
X-Google-Smtp-Source: AGHT+IEBH6Ciqgcm1pOplZBDKIWT+7ikl4XiWJ+eDQ5ImiJpTEAmU/g0YkQc2GbSDVSiVeAM3Q53CIr+11YEzvfnfiU=
X-Received: by 2002:a17:906:a0c7:b0:a4e:1154:fa46 with SMTP id bh7-20020a170906a0c700b00a4e1154fa46mr2223061ejb.70.1712772077863; Wed, 10 Apr 2024 11:01:17 -0700 (PDT)
MIME-Version: 1.0
References: <CAGL5yWaJXRDyiQ=w2XJcoFhCQ3JDriqO+jAcOKz7J4kW2PY=uw@mail.gmail.com> <20240410112929.2147861.qmail@cr.yp.to>
In-Reply-To: <20240410112929.2147861.qmail@cr.yp.to>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Wed, 10 Apr 2024 14:01:05 -0400
Message-ID: <CAGL5yWbdAD31-cA15MACTq5OF=iZPU7qAGKfKJoPy3zNio=cnA@mail.gmail.com>
To: saag@ietf.org
Content-Type: multipart/alternative; boundary="00000000000048af6f0615c1d369"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/9e1QheO1L6SVBX3a8mFSij9AgHw>
Subject: Re: [saag] SSH & Ntruprime
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2024 18:01:24 -0000
On Wed, Apr 10, 2024 at 7:29 AM D. J. Bernstein <djb@cr.yp.to> wrote: > Paul Wouters writes: > > On Fri, Apr 5, 2024 at 12:28 PM D. J. Bernstein <djb@cr.yp.to> wrote: > > > The elephant in the room is the patent minefield surrounding Kyber. > > I do not see how this relates to a request for an AD sponsored draft > > for NTRUprime for SSH. > > Simplest answer: The Crypto Review Panel review in question (1) says > that it's not clear why to consider sntrup given NIST's selection of > Kyber That was one of their considerations, yes. The fact that the cryptographic research communities are focusing on NIST candidates does mean that those proposed algorithms will see a lot more scrutiny and research. Similar to how TWOFISH and SERPENT didn't really see much research once RIJNDAEL became AES. Are those two algorithms safe? Probably? Likely? Maybe? But we wouldn't recommend their use now and I would also not AD sponsor TWOFISH or SERPENT at this time either. Some of the NIST candidates were broken because they were scrutinized because they were candidates. Should the IETF really recommend a dropped candidate at this stage? I do not think so, and that is not a political argument. The Crypto Panel review also listed some technical points, which you seem to have left out in your latest email: My suggestions are to describe much more more explicitly the combiner use (typically CAT then KDF), quote the relevant literature (on combiners and previous attempts on hybrid KEM for SSH such as [PQSSH1]) and consider including ML-KEM. The normal IETF process is that change control is with the IETF. Would the draft authors be willing to make the changes recommended by the Crypto Panel? If not, what would be the reason for IETF to continue publication and lend its reputation to this then uncooperative team? > , but (2) fails to consider the IETF policy preference for choices > with no known patent claims. See my previous message for further details > and other connections. > Patent claims are not the issue, as long as the conditions for using the patents are not encumbered. It seems that those will not be an issue as otherwise the NIST chosen algorithm would not be useful. In the unlikely case that this would become a problem, the IETF would look at the international cryptographic community (via CFRG) on next steps. While NTRUprime might be one of the alternatives, it is not at all clear that would be the most favourable alternative. I understand you feel differently. > > Luckily, and due to the transparency of all IETF processes, you seem > > to have managed to find the review I was talking about. > > To clarify, are you sure that your summary was talking about the review > that I quoted? That is correct. > If so, can you please explain how readers can match your > summary to the review text? > I will let readers read for themselves. Both messages are in the public archive. > Note that I also heard a similar position about NTRUprime from outside > > the IETF in the academic world of cryptography. > > To clarify, are you referring to _public_ claims? If so, please provide > a URL. If not, can you please clarify how inserting rumors into IETF > discussions and advocating decisions on that basis is compatible with > "the transparency of all IETF processes"? > These were informal conversations I had. I will let those people make their own decisions about stating things publicly. Some people prefer to not engage with you due to previous negative experiences with your method of discussion. Anyone who feels uncomfortable with the reference I made should attach a zero weight to it. > > > > https://mailarchive.ietf.org/arch/msg/crypto-panel/kDiLLcVOhwoix5BUDdv4r91ZhfY/ > > > whose comments about sntrup (1) are purely political and (2) fail to > say > > > anything about patents. > > This is an at hominem attack that violates the code of conduct as > > specified in RFC 7154. > > Absolutely not. These are observations about the text of the review and > have nothing whatsoever to do with the question of who wrote the review. > I also quoted the text, so everyone can see that it isn't a review of > the technology and isn't saying anything about patents; it's pointing to > NIST's selection of Kyber and making claims about popularity before and > after the selection. Here's the text again: > I think I addressed this above as well. Stating one group of algorithms is seeing much more public discourse than others because of their appearance in a NIST competition is not making a political statement. > Responding to such a challenge by characterizing it as an ad-hominem > attack is factually incorrect and actively interferes with proper > handling of the challenge. > I disagree. Additionally, you did not seem to respond to the technical issues raised in that same review, such as the issue of the combiner being underspecified and subpar. Are the draft authors willing to remediate this in the draft? And to close one last point on your statement that Roman promised publication, please see: https://mailarchive.ietf.org/arch/msg/secdispatch/uM9_Vy97C53MWoLSFNuRKUC6iuA/ Roman said he was "going to AD sponsor", pending some items, such as the Crypto Panel Review, to ensure new cryptography to the IETF wouldn't be included without vetting. Unfortunately, that review did raise some issues, and Roman did not proceed. To summarize again. An IETF codepoint is not necessary for deploying NTRUprime with SSH, as the current widely deployed OpenSSH implementation shows. The IETF has a process for cryptographic algorithm selections, which should not normally be bypassed by a non-consensus "AD sponsored" route. As deployment is already widespread according to the proponents, the IETF is not blocking the use of NTRUprime. I do not believe an AD sponsored RFC that rubberstamps an outside cryptographic algorithm, which cryptographic experts inside the IETF would want to see improved before publication, is currently warranted. Paul
- [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Harry Halpin
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Jan-Frederik Rieckers
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Melinda Shore
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime S Moonesamy
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Ira McDonald
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime Christian Huitema
- Re: [saag] SSH & Ntruprime Russ Housley
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime Mark Baushke (ietf)
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime S Moonesamy
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Watson Ladd
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime StJohns, Michael
- Re: [saag] SSH & Ntruprime Watson Ladd
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Watson Ladd
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime S Moonesamy
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Deb Cooley
- Re: [saag] SSH & Ntruprime Christian Huitema
- Re: [saag] SSH & Ntruprime Simon Josefsson