Re: [Secdispatch] [EXTERNAL]Re: Clarification Question for the Comment from Eric Rescorla (

Mike Ounsworth <Mike.Ounsworth@entrustdatacard.com> Wed, 08 January 2020 16:26 UTC

Return-Path: <prvs=269c1f500=Mike.Ounsworth@entrustdatacard.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 998FD12084A for <secdispatch@ietfa.amsl.com>; Wed, 8 Jan 2020 08:26:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=entrustdatacardcorp.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BYVJMdWcZxUS for <secdispatch@ietfa.amsl.com>; Wed, 8 Jan 2020 08:26:24 -0800 (PST)
Received: from mx2.entrustdatacard.com (mx2.entrustdatacard.com [204.124.80.222]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CB54120152 for <secdispatch@ietf.org>; Wed, 8 Jan 2020 08:26:24 -0800 (PST)
IronPort-SDR: 1f4D2lSqDxxz/DPpiaoQXqi4x1znKVqFUgeubevhJ+qCO++FES6EsNnzhdk1hv4fQBkU9uXxM5 bpe2It0MudqA==
X-IronPort-AV: E=Sophos;i="5.69,410,1571720400"; d="scan'208,217";a="7296963"
Received: from pmspex04.corporate.datacard.com (HELO owa.entrustdatacard.com) ([192.168.211.51]) by pmspesa04inside.corporate.datacard.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA384; 08 Jan 2020 10:26:23 -0600
Received: from PMSPEX04.corporate.datacard.com (192.168.211.51) by PMSPEX04.corporate.datacard.com (192.168.211.51) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 8 Jan 2020 10:26:23 -0600
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (172.28.1.8) by PMSPEX04.corporate.datacard.com (192.168.211.51) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 8 Jan 2020 10:26:23 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cMXl16IPQoOAGI/fP1/4H1HDrjWmDYH9to8tBAh5614wG0ijsznWGroO7Pj78EW5J2icdA+eN/PglrpSqUNRn+EwJpthGBxKuPKidqmqX0gfQH1L4zda4TGPCbVzZ/3TZRVZy7PNUol1n5twxMg8i+FURXKJAhbgmdk/viwkjlH7s+RCAOXaorwmsMWtkQMWDsrUEVZkaGmSYEYcl63A1RIAM0G7PIRUtZ7AQExo5yQKWnp/Yn+wPnftEqzDDnd8UV2984aOvSp/IxYH0wBJkEmOVq8CBOd5yzhsdqomnZWx52YdN3FfUtydrEowaJwDmEo1sBlhTNFDq5NguLOrsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SpERIisgww2Fakx2jzsFV7MAQtlepMg2dzZ74mMUEt0=; b=EFHQgt/MDl5Pyl8Op7dcEfB6H/daGYAO9HwWe8gdT3Lyc0T0FBA5jDPXcZN0gfWQNmEQ9uTKG0ShQqXhqzyOeA8LyBPTwRQpVCozrIraZxE0k5eMTKH5LE6ymkxn4LntGB+rUIDBXAaiWXRo2TwBqNeTwmZByb1B8xC3TkjwCnZ/GTDntnaS1uXXSuJymlQkjYNhbphGXcdQFM/ibhjcXv/tHXL7Ac7bl297p7ZhBMhRdlkFBDBoxMca2d9JjUqJTKaADjlF/Sn2z+AEflF8J+4IXOEkwWMmGjCr1l5czyrOW5xnc6UUTqdSewDDZRq69S4kHmLJ3QwrjshOzjJtZg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrustdatacard.com; dmarc=pass action=none header.from=entrustdatacard.com; dkim=pass header.d=entrustdatacard.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrustdatacardcorp.onmicrosoft.com; s=selector1-entrustdatacardcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SpERIisgww2Fakx2jzsFV7MAQtlepMg2dzZ74mMUEt0=; b=admLozgIWjJLX42c1u5z3gh+WFPQLM6WQn6XjsL6Rq4eVbe78Z3r2/M2xw/xauNh+/Q7+hLmiqUajeqx0A5rKU0sJPxdr0wQAhgw5qios860RlzE1CxhEL6bKPg3Vpr3uEWgRWKzffOjbT8l3oy9OUPultQNbcLD6d6vPQlSCUE=
Received: from DM6PR11MB3883.namprd11.prod.outlook.com (10.255.61.32) by DM6PR11MB4153.namprd11.prod.outlook.com (10.255.61.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9; Wed, 8 Jan 2020 16:26:21 +0000
Received: from DM6PR11MB3883.namprd11.prod.outlook.com ([fe80::34ac:ed41:2759:3392]) by DM6PR11MB3883.namprd11.prod.outlook.com ([fe80::34ac:ed41:2759:3392%6]) with mapi id 15.20.2602.017; Wed, 8 Jan 2020 16:26:21 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrustdatacard.com>
To: Eric Rescorla <ekr@rtfm.com>, Carrick Bartle <cbartle891@icloud.com>
CC: "Dr. Pala" <madwolf@openca.org>, "Salz, Rich" <rsalz@akamai.com>, "IETF SecDispatch" <secdispatch@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [EXTERNAL]Re: [Secdispatch] Clarification Question for the Comment from Eric Rescorla (
Thread-Index: AQHVn3TqmuwoAaKifk6F5voq4PihRqeTq78AgDU9ZQCAAveOgIAMGfaAgAABkgCAAAgPgIAADmoAgAkfdvA=
Date: Wed, 8 Jan 2020 16:26:21 +0000
Message-ID: <DM6PR11MB38835E0C6C931C9E9BE676689B3E0@DM6PR11MB3883.namprd11.prod.outlook.com>
References: <12eed4ff-edd2-7f70-9460-fc86dcbab927@openca.org> <CABcZeBPbAgBfC6Et+OKQi2=GwsyeyKEKfW5GG=StUepQwy+f0g@mail.gmail.com> <7999ebac-c9c1-eb4f-d9f7-2ba814a3b331@cs.tcd.ie> <78997490-c5ae-c856-6e26-0f79c7733ca3@openca.org> <CABcZeBM5WgpcBP4axBvzWaxKU=JA-K-4qiVxhhO1+HzFf246aw@mail.gmail.com> <95B2FAB7-66FA-44F2-84F8-FA23737AA38F@akamai.com> <CABcZeBM06FEiMkDVhOPnQggHCG7DeOVkNLNn1w2wDnhy6rJuhg@mail.gmail.com> <07119213-1702-4742-A34F-EDEDBF294FCF@icloud.com> <CABcZeBO7DSn3vaghfk5ADSEM-Wx50HtQHtN_OKNk5zeWkuXJ0Q@mail.gmail.com> <3FFD9FD4-10E3-41B5-B086-A0AF17EF6899@icloud.com> <CABcZeBOCwqhZjDmVqFUK4CmYX-=-BxT6sjrj4AUUFtZ_ZAw_aQ@mail.gmail.com> <DB512B60-8851-480A-98DE-73CF6336DC08@icloud.com> <CABcZeBM4r0k_tX3RageZ2oEqAKZ=XbcJqqaDpsazNxVe5tHuTw@mail.gmail.com>
In-Reply-To: <CABcZeBM4r0k_tX3RageZ2oEqAKZ=XbcJqqaDpsazNxVe5tHuTw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mike.Ounsworth@entrustdatacard.com;
x-originating-ip: [204.124.81.102]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 987358e8-5925-4143-1415-08d794577f7f
x-ms-traffictypediagnostic: DM6PR11MB4153:
x-microsoft-antispam-prvs: <DM6PR11MB4153CBC3E306AC6E38C017929B3E0@DM6PR11MB4153.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 02760F0D1C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(136003)(376002)(366004)(346002)(51444003)(189003)(199004)(71200400001)(66946007)(66556008)(66476007)(66446008)(76116006)(64756008)(2906002)(5660300002)(55016002)(316002)(81166006)(81156014)(4326008)(9686003)(478600001)(186003)(966005)(8936002)(110136005)(52536014)(7696005)(54906003)(26005)(8676002)(86362001)(33656002)(53546011)(6506007); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR11MB4153; H:DM6PR11MB3883.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: z2rGvKVhkS8DoWuHTo6+8OWRs3SXc6FINBo5LQAK4So0vR/uwL0BykEvzMBQhpje4jWSQF5Q2NEm5pvOZRWo+cJBDwEwU4VR6Y+4vA00Pj2HmSUT3W6CqMU5GsOLlLvldLgNmbxOYYcjNlvS7XTt638lBBLn1z9ZvD6khOnii6hdjzfj3T8v0hL279SIKMc0QCHg05SznxBhFR+y4Y6U89KtHi80ihnOsjzy0oyjz5hQTDw6Hkn3sEVrRafxGBMom6YE+m7Y95RSnGELPBehEh+gCcyxvg5uYgXE9UqyxpuSUnkYcuB4keaTZPRCAFrFtw70SKEV3wQnQcSODth0SUh6G1N/o8Mx7BKO8NWzBcbZ7BNdrTiOeZKjBXgEzUwWHLH2CtrdGJBr+YV51H2NzNKnwIlDHOGTnUySTwne9C7dMTKE7z5aT+tPZ81TmdvV1o1qAd4X9HaGdrp8LedP+x7k9x1QXSFyz72TEbT+ZjBmsV9+xW0EvwxMXjwR9cMKdHbNZfmCMpxo6syQVC4ml9OfK5yOLe9Y7OQcvXE4Dfk4siie4MiGdbNAhsh5MzI6
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR11MB38835E0C6C931C9E9BE676689B3E0DM6PR11MB3883namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 987358e8-5925-4143-1415-08d794577f7f
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jan 2020 16:26:21.6815 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IYCcp1jmGe8XMsMXN8FJK/zQ/wyQjoVeOi0XCq4V5KGxwY6pY+rQlArc/B38zxhatWs4kOTZZy9oe8qL+BdCMD+9B4kLt6Kvsq54qwln8iqxflJVQe1BaW5mIazNuZmH
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4153
X-OriginatorOrg: entrustdatacard.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/BG4XgBrUSofKNRW5rdCEwxKuhrQ>
Subject: Re: [Secdispatch] [EXTERNAL]Re: Clarification Question for the Comment from Eric Rescorla (
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 16:26:28 -0000

Ekr said:

In the former case, every server would need two certificates (one composite and one classical) and use signature_algorithms to distinguish which one to use.

I agree with your conclusion about composite breaking backwards compatibility.

That said, I caution us against thinking about this problem only in terms of a single use-case or protocol (TLS in this case).  I want to keep this discussion considering certificate use-cases that don’t have algorithm negotiation mechanisms, for example code-signing, S/MIME, PKI smart cards, file encryption, whatever uses certificates in a way that isn’t “online”.  I would love to see the IETF provide a solution that applies to certificates and signatures in general, rather than punting this problem to each protocol design team to solve independently.


The primary rationale for doing PQ authentication now (or for that
matter composite authentication) is to be prepared for the day when QC
exists and we are therefore unable to rely on classical
algorithms. However, it's not useful to be prepared in that fashion
unless the algorithm that you are deploying is the one that is
eventually selected, because otherwise you just have to start over
once the selection is made.

This conclusion – that you’re only getting security value once a PQ exists, and any alg implementation we chose today will likely be obsolete by then -- is probably right for browsers, but what about IoT devices validating their firmware signature on boot? Or PKI smartcards?  Or legal contracts signed under eIDAS?  Today we are creating certificates and signed data objects that will outlive the advent of a QC.  I think that blurs closer to the “retrospective attack” scenario that you used for motivating composite key exchange.

While I’m aware that I’m using motivating examples from outside the IETF, I think we have an opportunity to define a standard that is generic for all (or at least most) certificate use-cases.  Let’s do the debate here about carrying multiple signatures and the semantics of validating it, rather than pushing it out to each protocol design team to debate independently.


---
Mike Ounsworth | Office: +1 (613) 270-2873

From: Secdispatch <secdispatch-bounces@ietf.org> On Behalf Of Eric Rescorla
Sent: January 2, 2020 2:11 PM
To: Carrick Bartle <cbartle891@icloud.com>
Cc: Dr. Pala <madwolf@openca.org>rg>; Salz, Rich <rsalz@akamai.com>om>; IETF SecDispatch <secdispatch@ietf.org>rg>; Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: [EXTERNAL]Re: [Secdispatch] Clarification Question for the Comment from Eric Rescorla (

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________


On Thu, Jan 2, 2020 at 11:19 AM Carrick Bartle <cbartle891@icloud.com<mailto:cbartle891@icloud.com>> wrote:
What "start over" means in this case is get to the point where there is a critical mass of client and server deployment, a process which takes time.

I see.

I think not, at least for TLS. The consensus of implementors seems to be that it's better to just cast composite algorithms as if they were new DH groups, so there's not a huge amount of leverage in a generic mechanism.

My understanding is that the Cloudflare-Google implementation generated two separate shared secrets. Also this draft references several different "ad hoc" approaches in implementations: https://tools.ietf.org/html/draft-stebila-tls-hybrid-design-01.

Well, yes, but on the wire it's packaged as a single group and key share.

https://blog.cloudflare.com/the-tls-post-quantum-experiment/

-Ekr


Carrick



On Jan 2, 2020, at 10:50 AM, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:



On Thu, Jan 2, 2020 at 10:45 AM Carrick Bartle <cbartle891@icloud.com<mailto:cbartle891@icloud.com>> wrote:
it's not useful to be prepared in that fashion
unless the algorithm that you are deploying is the one that is
eventually selected, because otherwise you just have to start over
once the selection is made.

Just to be specific, do you mean, for instance, all the certificates with the PQ algorithm that wasn't chosen would have to be revoked?

Probably not.

At a high level, there are two possible designs:

1. A certificate which has a composite signature in place of the classical signature and thus cannot be validated by old clients.
2. A certificate which has a PQ signature somehow attached in a way that it leaves the classical signature valid (as in an extension).

In the former case, every server would need two certificates (one composite and one classical) and use signature_algorithms to distinguish which one to use. Once clients stopped liking the old PQ algorithm, then those composite certificates would become irrelevant and just be unused. In the latter case, the certificates would continue to be valid and the client could just ignore the PQ part of the signature.

What "start over" means in this case is get to the point where there is a critical mass of client and server deployment, a process which takes time.

the primary rationale for doing composite key exchange now is to
defend against retrospective attacks in case a quantum computer exists
in the future. In this setting, it isn't critically important to have
the PQ algorithm be the one we eventually land on, because each
connection is separately negotiated and as long as the PQ algorithm
has some security, you're getting benegit,.

In that case, would it make sense to take the next step with drafting an intended standard for composite key exchanges (that is PQ algorithm-agnostic)? If not, why not?

I think not, at least for TLS. The consensus of implementors seems to be that it's better to just cast composite algorithms as if they were new DH groups, so there's not a huge amount of leverage in a generic mechanism.

-Ekr

Carrick





On Dec 25, 2019, at 5:57 PM, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:

On Mon, Dec 23, 2019 at 8:38 PM Carrick Bartle <cbartle891@icloud.com<mailto:cbartle891@icloud.com>> wrote:
> How can it be true that it's too early to start developing a protocol
> for composite keys and signatures for Web PKI when Cloudflare and
> Google have already finished a round of experiments with composite key
> exchanges? Maybe I'm reading too much into it, but the existence of
> those experiments suggested to me that the need for composite/composite
> implementations was imminent. (I understand that the draft in question
> concerns signatures, not key exchanges, but apparently there isn't
> even a draft for the latter yet.)

ISTM that these cases are pretty different, in a number of respects.

First, the primary rationale for doing composite key exchange now is to
defend against retrospective attacks in case a quantum computer exists
in the future. In this setting, it isn't critically important to have
the PQ algorithm be the one we eventually land on, because each
connection is separately negotiated and as long as the PQ algorithm
has some security, you're getting benegit,.

The primary rationale for doing PQ authentication now (or for that
matter composite authentication) is to be prepared for the day when QC
exists and we are therefore unable to rely on classical
algorithms. However, it's not useful to be prepared in that fashion
unless the algorithm that you are deploying is the one that is
eventually selected, because otherwise you just have to start over
once the selection is made.

Moreover, in order to be truly prepared, what you need isn't
principally relying party deployment, but rather authenticating party
(in the case of the WebPKI, server-side) deployment. The reason for
this is that in the world where a QC exists, you don't have protection
until the relying party refuses to accept the classical credential
[0], and at present, any client which does so will effectively be
unable to communicate. And in order to make that happen, relying
parties will have to require a post-quantum algorithm (most likely as
a composite) and that's something I don't expect them to be willing to do
until there's widespread agreement on what that algorithm should be.


> If not now, when? After NIST crowns a winner? I don't see why it's
> necessary to wait that long given that the proposed solutions are
> algorithm-independent. And since the standardization process takes a
> while, won't waiting until then mean that there won't be a standard
> until after it's needed?

No, i don't think so.

For the reasons above, ISTM that real deployment will have to wait
until we have a selected algorithm. One could, as you suggest, deploy
some sort of multi-algorithm container, but IMO we will be far better
off just deploying new composite algorithms as if the were single
new algorithms, in the same way as we have done for key establishment.

For this reason, I think we ought to wait until there is a consensus
PQ signature algorithm, at least for the WebPKI.

-Ekr

[0] This is why this kind of composite isn't helpful in the world
where a secret QC exists not.


_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch