Re: [Secdispatch] Can Composite sigs move back to LAMPS?

Hiya,

On 16/01/2020 21:38, Daniel Van Geest wrote:
> Hi Stephen,
> 
> On 2020-01-16, 7:28 PM, "Secdispatch on behalf of Stephen Farrell"
> <secdispatch-bounces@ietf.org<mailto:secdispatch-bounces@ietf.org> on
> behalf of
> stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote:
> 
> Hiya,
> 
> I'm guessing it'll be no surprise that I reckon that we ought not
> adopt either piece of work at this time (sorry for being so
> predictablel;-) I continue to think waiting 'till we know more is
> wiser.
> 
> [DVG] I think we can appreciate your consistency at least :-)

You're welcome:-)

> I'd also note that CVE-2020-0601 may (when full details emerge)
> provide very direct evidence that standardising cryptographic
> parameter representations ahead of real understanding of the
> algorithms and their implementations and real uses can be a bad plan
> with implications that only hit decades later.
> 
> [DVG] I think you’ve hinted (or stated explicitly) at this before,
> but it confuses me. draft-ounsworth-pq-composite-sigs does not
> attempt to standardize the parameter representations of any
> cryptographic algorithms.  It’s just a framework for combining other
> standardized representations.  In the PQ case those are to be
> standardized separately in the future.  This draft could just as well
> be used to combine RSA and elliptic curve signatures. 

So I really don't see any benefit in a new complex way to
combine RSA and ECC signatures. I do see many costs and risks.
My conclusion is that this stuff could only really be useful
enough to justify the costs if we have PQ signature schemes
that are considered stable enough to deploy but where we
don't yet fully trust the algorithms to the point where we'd
be happy to depend solely on those new algorithms. In that
context, ISTM that creating the scope for CVE-20YY-NNNN
(analogous to CVE-2020-0601) is a very real risk among others
that were already mentioned earlier in discussion. (*)

Cheers,
S.

(*) I brought up CVE-2020-0601 not as a killer-argument that
summarises the entire thread, but because the CVE is new
information (even if we're still unsure of all the details)
and I don't recall that specific risk having come up in the
discussion so far.

> I don’t want
> to put words in Max Pala’s mouth, but he’s currently dealing with a
> newborn so I will provisionally say I think combining classical
> algorithms using this method is of interest to him.  Probably the
> draft should be renamed to draft-ounsworth-composite-signatures,
> similarly to what was done in IPSecME for a draft combining key
> agreement algorithms. There’s nothing PQ-specific about either
> mechanism, but the efforts are being made now in anticipation of
> these algorithms arrivals, knowing how long the standardization
> process can take.
> 
> Thanks,
> 
> Daniel Van Geest
> 
> 
> On 16/01/2020 19:13, Mike Ounsworth wrote: Following up on in-room
> discussions at 106, and the ensuing list discussions, I'd like to ask
> for confirmation of the following points: 1. There is enough interest
> in an obvious-and-straightforward implementation of composite
> signatures to continue working on it? 1a. The current draft for this
> is draft-ounsworth-pq-composite-sigs-02 2. SecDispatch is assigning
> this back to LAMPS? 2a. The current draft might not be the most
> obvious-and-straightforward implementation; we're willing to simplify
> until it's in-scope for LAMPS. --- Mike Ounsworth Software Security
> Architect, Entrust Datacard 
> _______________________________________________ Secdispatch mailing 
> list Secdispatch@ietf.org<mailto:Secdispatch@ietf.org> 
> https://www.ietf.org/mailman/listinfo/secdispatch
> 
> 
> _______________________________________________ Secdispatch mailing
> list Secdispatch@ietf.org 
> https://www.ietf.org/mailman/listinfo/secdispatch
> 

Re: [Secdispatch] Can Composite sigs move back to LAMPS?

Attachment: 0x5AB2FAF17B172BEA.asc

Attachment: signature.asc