IETF Logo Mail Archive

Re: [saag] post-X509 cryptographic identities

Eric Rescorla <ekr@rtfm.com> Wed, 12 February 2020 00:02 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2499912004C for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 16:02:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MTEwFiuL6wGl for <saag@ietfa.amsl.com>; Tue, 11 Feb 2020 16:02:56 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FD09120855 for <saag@ietf.org>; Tue, 11 Feb 2020 16:02:56 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id x14so159335ljd.13 for <saag@ietf.org>; Tue, 11 Feb 2020 16:02:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Le0mSNRWmUf7QX++hP5ql4PS59alE0xNAJ+e5kqCq9U=; b=hiLshQVEEPhggz2UruSsUBFWAwbtDsI29pY+iYS/vrHlUg/GVIVy36D+taW2mskesU Tg6HOylpWkdA13tBudNtiVUBaMPAx+bjN3tC1K3RanOdGDlXlgQ7j8lPsFqeT4dezfBk 4xvvBwfLgAD8Hw4d8YhGuHFlnpiL8ehbBRdczm0Z1YHYlxpCIFG6AOYNsfSrp7XKAF44 HonQ3tibjaXDb+5iVuuBN4+v5fa7z6IITvo7CzvfTIAAkxY0avssCUWhgwi77Dcx/T6F vZfJNBn+RsTtNCzGlNwtL5YMw74/rKTBijnC/TZ0jghfvRSY132N+T6AvC5BjIwHwxVL caYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Le0mSNRWmUf7QX++hP5ql4PS59alE0xNAJ+e5kqCq9U=; b=dXT8JDVBXlH9ITAmPQ6vpSreCMjxAIT73UOh7ENMSyMe0zSnvrzuAYlBoNKkoKqBDJ KKJyDA3EgxHV7vfHevT+4cT78Kj5TaSDNHhCHLNrUAQ4iy1DfpraOl8V3T0fbObU8tSn FIhDh7dLGeCeiOQ1iW16Ai3ZqWwEz5Q5Kw6tPlpyWXyIP/9mmEFGeK8ISazkiDUpZRbo ImpjZsnRKYd8Jj5VJbaEUSZrkveDwQKJumc15SpzyBGACPtSFJvJ10K1kYITo+jyEnYP IxeWlcsSI/2yAIDxz4shSZfknoZrWmHr5WQxwbald8az+o5VOgLUxvGdUr4HLuxs+/OH gGcQ==
X-Gm-Message-State: APjAAAX5TQv8C1tzrkHwCKPWx7NJnSsQRyisWOgwDhV89sDBJntibZ/H QCKxXn6SOJmNmj6F6nMIsXFpY89ElQzCLtAxYQ0SSw==
X-Google-Smtp-Source: APXvYqzKlgTiKUoBwxPD3Lv2bikfXvDlNxM0Rc6/A+ArMgGQBuM9MZG6mfzm3SY1+k1EsXXvdBfPpMEbrMvBPxEUYeg=
X-Received: by 2002:a2e:9b12:: with SMTP id u18mr5892225lji.274.1581465774259; Tue, 11 Feb 2020 16:02:54 -0800 (PST)
MIME-Version: 1.0
References: <157762745765.1150.7880025422884493076@ietfa.amsl.com> <2C5DFA70-AD0E-4139-B28E-2D4EDB6E5409@sinodun.com> <46BDE9EB-6306-4194-AFFA-7E9E6604765F@sinodun.com> <825b8c8e-7ee9-9276-d09e-9c006acf3804@ericsson.com> <CABcZeBOzJ2MRS8deZqN+e-o9tFDwgSrYK3_hmV-0pfO+L9oaVw@mail.gmail.com> <53c87d6b-cad1-3a80-291d-e2a896705da5@ericsson.com> <CABcZeBNJWmFTV==6sa0qnAPyRr4=6OiCacchzobE=RozHnqPdg@mail.gmail.com> <7901248e-c7dd-8a12-65df-f40415fde5e2@cs.tcd.ie> <26497.1581418516@dooku> <db922345-12f5-33f6-2d85-01e858078ad7@cs.tcd.ie>
In-Reply-To: <db922345-12f5-33f6-2d85-01e858078ad7@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 11 Feb 2020 16:02:16 -0800
Message-ID: <CABcZeBMR3KVunWGhm7BnX8KocUOuby1HecAatMFZy0acTxCO=g@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, saag@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b32d8a059e55b18f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/sjRJ9n1pqeyByIizew-2va8iPtY>
Subject: Re: [saag] post-X509 cryptographic identities
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2020 00:02:58 -0000

[Trimming extensively]

On Tue, Feb 11, 2020 at 1:06 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> For me, I'd be interested in starting with a much
> less ambitious goal, e.g. perhaps how to integrate
> PQ algs into TLS and SSH without x.509


Well...
It's already straightforward to integrate PQ key establishment into TLS w/o
X.509.
It's also possible to do PQ authentication w/ Delegated Keys.

Finally, TLS supports new credential types via the "certiifcate_type"
extension, so if you were to define some new kind of credential structure,
TLS could take it easily. However, it's hard to see how that would actually
fit into existing deployments of TLS, which are already rooted in the
WebPKI; if we wanted to add PQ signatures to TLS for the Web, we would do
it by defining new algorithms for X.509.

-Ekr

v2.23.0 | Report a Bug | By Email