Re: [Secdispatch] Can Composite sigs move back to LAMPS?

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 17 January 2020 12:11 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE8912003F for <secdispatch@ietfa.amsl.com>; Fri, 17 Jan 2020 04:11:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npdmrbPl-b1C for <secdispatch@ietfa.amsl.com>; Fri, 17 Jan 2020 04:11:00 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F44A12001B for <secdispatch@ietf.org>; Fri, 17 Jan 2020 04:10:59 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C3B2DBE20; Fri, 17 Jan 2020 12:10:57 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18nqRScVEUkl; Fri, 17 Jan 2020 12:10:57 +0000 (GMT)
Received: from [134.226.36.93] (unknown [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 60A8EBDCF; Fri, 17 Jan 2020 12:10:57 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1579263057; bh=sy8NnRChMHMM6cxPK+TUN2zwlRAE5lF4tRvh+fQmiME=; h=Subject:To:References:From:Date:In-Reply-To:From; b=JpFMI8KL79faoYTIK4ZZVjjMYhLFWuent80JC9iT+GHQhMkoLIUv+zA16FCXzVvPt 9s24qytAk4nfZqPJEtOpBYUnc46IkF/ldEnXsLLJ3Z9MrrbMPlM40exhpqMbyb4YBP DT1wuZwcoW4Yac+gx9v2rnE0lIw6AofyWP25r1EM=
To: Daniel Van Geest <Daniel.VanGeest@isara.com>, Mike Ounsworth <Mike.Ounsworth@entrustdatacard.com>, IETF SecDispatch <secdispatch@ietf.org>
References: <DM6PR11MB388377406A1AAEDCA397749C9B360@DM6PR11MB3883.namprd11.prod.outlook.com> <70b221bb-bc39-52cc-f9e0-a84261afe473@cs.tcd.ie> <09B0CA53-BAAF-4139-8179-2A70ADE58632@isara.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <c0f620d7-4e22-18a5-c168-f66b737cae86@cs.tcd.ie>
Date: Fri, 17 Jan 2020 12:10:56 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <09B0CA53-BAAF-4139-8179-2A70ADE58632@isara.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="84wL367M0gV2c99Jwp2RPaQIk8nLK3ZE4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/ClTNi541TzdP-_w4W2qKubalPFc>
Subject: Re: [Secdispatch] Can Composite sigs move back to LAMPS?
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 12:11:05 -0000

Hiya,

On 16/01/2020 21:38, Daniel Van Geest wrote:
> Hi Stephen,
> 
> On 2020-01-16, 7:28 PM, "Secdispatch on behalf of Stephen Farrell"
> <secdispatch-bounces@ietf.org<mailto:secdispatch-bounces@ietf.org> on
> behalf of
> stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote:
> 
> Hiya,
> 
> I'm guessing it'll be no surprise that I reckon that we ought not
> adopt either piece of work at this time (sorry for being so
> predictablel;-) I continue to think waiting 'till we know more is
> wiser.
> 
> [DVG] I think we can appreciate your consistency at least :-)

You're welcome:-)

> I'd also note that CVE-2020-0601 may (when full details emerge)
> provide very direct evidence that standardising cryptographic
> parameter representations ahead of real understanding of the
> algorithms and their implementations and real uses can be a bad plan
> with implications that only hit decades later.
> 
> [DVG] I think you’ve hinted (or stated explicitly) at this before,
> but it confuses me. draft-ounsworth-pq-composite-sigs does not
> attempt to standardize the parameter representations of any
> cryptographic algorithms.  It’s just a framework for combining other
> standardized representations.  In the PQ case those are to be
> standardized separately in the future.  This draft could just as well
> be used to combine RSA and elliptic curve signatures. 

So I really don't see any benefit in a new complex way to
combine RSA and ECC signatures. I do see many costs and risks.
My conclusion is that this stuff could only really be useful
enough to justify the costs if we have PQ signature schemes
that are considered stable enough to deploy but where we
don't yet fully trust the algorithms to the point where we'd
be happy to depend solely on those new algorithms. In that
context, ISTM that creating the scope for CVE-20YY-NNNN
(analogous to CVE-2020-0601) is a very real risk among others
that were already mentioned earlier in discussion. (*)

Cheers,
S.

(*) I brought up CVE-2020-0601 not as a killer-argument that
summarises the entire thread, but because the CVE is new
information (even if we're still unsure of all the details)
and I don't recall that specific risk having come up in the
discussion so far.

> I don’t want
> to put words in Max Pala’s mouth, but he’s currently dealing with a
> newborn so I will provisionally say I think combining classical
> algorithms using this method is of interest to him.  Probably the
> draft should be renamed to draft-ounsworth-composite-signatures,
> similarly to what was done in IPSecME for a draft combining key
> agreement algorithms. There’s nothing PQ-specific about either
> mechanism, but the efforts are being made now in anticipation of
> these algorithms arrivals, knowing how long the standardization
> process can take.
> 
> Thanks,
> 
> Daniel Van Geest
> 
> 
> On 16/01/2020 19:13, Mike Ounsworth wrote: Following up on in-room
> discussions at 106, and the ensuing list discussions, I'd like to ask
> for confirmation of the following points: 1. There is enough interest
> in an obvious-and-straightforward implementation of composite
> signatures to continue working on it? 1a. The current draft for this
> is draft-ounsworth-pq-composite-sigs-02 2. SecDispatch is assigning
> this back to LAMPS? 2a. The current draft might not be the most
> obvious-and-straightforward implementation; we're willing to simplify
> until it's in-scope for LAMPS. --- Mike Ounsworth Software Security
> Architect, Entrust Datacard 
> _______________________________________________ Secdispatch mailing 
> list Secdispatch@ietf.org<mailto:Secdispatch@ietf.org> 
> https://www.ietf.org/mailman/listinfo/secdispatch
> 
> 
> _______________________________________________ Secdispatch mailing
> list Secdispatch@ietf.org 
> https://www.ietf.org/mailman/listinfo/secdispatch
>