[Secdispatch] Clarification Question for the Comment from Eric Rescorla (

"Dr. Pala" <madwolf@openca.org> Tue, 19 November 2019 14:18 UTC

Return-Path: <madwolf@openca.org>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 92FEB12092B for <secdispatch@ietfa.amsl.com>; Tue, 19 Nov 2019 06:18:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.841
X-Spam-Level: **
X-Spam-Status: No, score=2.841 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id KLJiIaRsVfpB for <secdispatch@ietfa.amsl.com>; Tue, 19 Nov 2019 06:18:05 -0800 (PST)
Received: from mail.katezarealty.com (mail.katezarealty.com []) by ietfa.amsl.com (Postfix) with ESMTP id A8317120921 for <secdispatch@ietf.org>; Tue, 19 Nov 2019 06:18:05 -0800 (PST)
Received: from localhost (unknown []) by mail.katezarealty.com (Postfix) with ESMTP id 567C137413B5; Tue, 19 Nov 2019 14:18:05 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([]) by localhost (mail.katezarealty.com []) (amavisd-new, port 10024) with LMTP id THMjUY5K-0Vn; Tue, 19 Nov 2019 09:18:04 -0500 (EST)
Received: from Maxs-MacBook-Pro-2.local (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id 0670037408D6; Tue, 19 Nov 2019 09:18:03 -0500 (EST)
To: secdispatch@ietf.org, Eric Rescorla <ekr@rtfm.com>
From: "Dr. Pala" <madwolf@openca.org>
Message-ID: <12eed4ff-edd2-7f70-9460-fc86dcbab927@openca.org>
Date: Tue, 19 Nov 2019 22:18:02 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------66B72031CA31C3C5A74B1276"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/8EMfFHbttUEtyOp98b8miSCv-8E>
Subject: [Secdispatch] Clarification Question for the Comment from Eric Rescorla (
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 14:18:07 -0000

Hi Eric, all,

I am sorry I had quite a hard time to understand the questions/comments 
today, however, I would like to properly address the raised concerns/points.

*Clients / Software Updates Comment:*

    I wanted to understand your questions/comments about the need to
    update clients and that would never happen.

    Could you please elaborate on this point ?

    It is my understanding that we do have to update our crypto
    libraries when we want to support a new algorithm, and that is what
    we are talking about. Any time we add a new algorithm, the software
    needs to be updated - but I do not see why this is a problem
    specific for this solution. ALL of the approaches will need software
    updates (exactly as we did for TLS 1.3).

    Personally, I think that Composite Crypto is also interesting from
    this point of view since updating the crypto layer will enable its
    use without the need to change protocols or application behavior.
     From an application-development point of view, IMHO, it is a very
    intriguing approach.

*SHA-1 Transition:*

    One of your comments, if I am not mistaken, was about comparing one
    of the possible solutions to the problem (Composite Crypto) with the
    SHA-1 transitioning period - how, in your opinion, is that
    transition process related to the specifics of the proposal ?

Again, I am sorry I could not understand the questions clearly (normal 
language barrier issues :D), but I hope I can address your concerns on 
the list.

Thanks again,


Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo