Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 16 September 2019 21:42 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32986120118 for <secdispatch@ietfa.amsl.com>; Mon, 16 Sep 2019 14:42:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQZQVVmvG_7Z for <secdispatch@ietfa.amsl.com>; Mon, 16 Sep 2019 14:42:24 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 596991200C7 for <secdispatch@ietf.org>; Mon, 16 Sep 2019 14:42:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 6537CBE2F; Mon, 16 Sep 2019 22:42:21 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eaXpQ20VSdDl; Mon, 16 Sep 2019 22:42:19 +0100 (IST)
Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 4163CBE2C; Mon, 16 Sep 2019 22:42:19 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1568670139; bh=IAwWc1oDQsC9EZZ2LfyilYiwsGxGgRXG9ctc7+uN6NA=; h=Subject:To:References:From:Date:In-Reply-To:From; b=bGhs3ypwAsniJlW7ZXNYNIwDhxuzyJXgU8sP86jlhGHqnYUPARoypQLXWVzrPDho9 MoNHBOciteWrJumbjUR7p42AnMNYPL31uVNGVUrxdBP0RQNbdtqRpcHg7E1S6qVXW/ wwCRjjsKQMON1Sin06dPS8EPMfRjGnv9++0ctjQ4=
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, "secdispatch@ietf.org" <secdispatch@ietf.org>
References: <a2e32c33-8589-f3fb-97e5-c5977dfc64b4@openca.org> <BL0PR11MB317285DF599EC58CCF26FD5EC1B00@BL0PR11MB3172.namprd11.prod.outlook.com> <28224.1568427573@dooku.sandelman.ca> <cf1a301c-47d6-7565-ddc7-69048e3c08f3@cs.tcd.ie> <5F8D32EB-CE27-4ECD-997F-D0AAE4B798B5@akamai.com> <2b87f695-314c-5aed-14a4-9877fe254161@ericsson.com> <CAN40gStdbJ0TNoeL0VFU4Tx1F5ubtAdJnz+QJXYFFAP7W2OV7w@mail.gmail.com> <3cfa21d8-efe2-1a69-5268-0a39e9171fe1@cs.tcd.ie> <BN7PR11MB2547F76FF7FBAE9ECBBA8E0BC98C0@BN7PR11MB2547.namprd11.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <0d771bf0-309a-428f-4417-d0f784923189@cs.tcd.ie>
Date: Mon, 16 Sep 2019 22:42:17 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <BN7PR11MB2547F76FF7FBAE9ECBBA8E0BC98C0@BN7PR11MB2547.namprd11.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="DlGVkpDAyq4jKNe2Yk5h4KdthsvuDjtee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/D-PnvruzQbmfb7DZd9LfItp24r4>
Subject: Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 21:42:30 -0000
Hiya, On 16/09/2019 22:35, Panos Kampanakis (pkampana) wrote: >> That seems to beg the question again as to why x.509 is needed at >> all as part of a PQ solution. > > Because there is nothing else as widely adopted. There is nothing "adopted" for PQ PKI, neither widely nor as a niche. > You haven't > articulated what would replace X.509 Yep, I said that before. It's worth a leisurely discussion as to what might be done. > and how the world would migrate > away from such a ubiquitous standard. I didn't say we ought migrate away from x.509, for classic algorithm uses. Just as acme account handling doesn't use x.509, something that may be needed for a PQ PKI does not have to use x.509. Cheers, S. > Composite classic+PQ X.509 may > not be the way to go, but replacing X.509 altogether with something > new is not a realistic goal imo. > > > > > -----Original Message----- From: Secdispatch > <secdispatch-bounces@ietf.org> On Behalf Of Stephen Farrell Sent: > Monday, September 16, 2019 4:59 PM To: secdispatch@ietf.org Subject: > Re: [Secdispatch] Problem statement for post-quantum multi-algorithm > PKI > > > Hiya, > > Replying to various folks at once... > > On 15/09/2019 15:29, Ira McDonald wrote: >> Hi, >> >> Thanks for the link to Kenny's talk. >> >> Stephen - The hard problem for automotive vehicles is that, even if >> Quantum Computing never comes to pass, algorithms and various >> implementations go on having new weaknesses found over time. But >> decent performance requires hardware assist, in many cases. But >> automotive ECUs are very unlikely to start have large FPGAs added >> soon. Replacing 100s of expensive ECUs in fielded vehicles to >> allow practical algorithm agility is not going to happen. This >> issue that Michael Richardson mentioned is at the top of the list >> for the automotive cybersecurity community. > > I don't understand how devices that are not going to be updated can > support algorithm agility. Perhaps you mean that you want to deploy > those devices soon and not update for a couple of decades or > something? If so, that sound like a bad plan to me, and one that'd be > better to not cater to really. (RFC8240 has lots of discussion of > that.) > > > On 16/09/2019 17:05, Mike Ounsworth wrote: >> My Goal: multi-vendor interop on PQ certificates. > > That seems to beg the question again as to why x.509 is needed at all > as part of a PQ solution. > >> I'm coming from the perspective of a CA; it can take years to >> distribute a root cert to all the places it needs to be before you >> can really start using it. Plus, people want to playing with these >> things ASAP to understand the scope of infrastructure changes >> required. There's the time pressure. >> >> I think you're right that to really deploy any meaningful 20 year >> root using, for example the small lattice schemes, we'll need to >> wait for the NIST PQC algs to stop having so much churn. >> >> That said, laying the groundwork for the "hybrid" property in >> certificates that the NIST PQC community is calling for will >> require much debate and a few RFCs. This work is necessary and >> independent of the choice of algorithm from the NIST PQC >> competition, so why should we wait until 2023 to _start_ thinking >> about it? Why not do it in parallel, be able to offer alpha test >> versions of PKI products before the conclusion of the NIST PQC, and >> be ready to drop-in the NIST winners the day they're ready? > > One reason to not do it in parallel is that we don't know how the > winning algorithm parameters will look. I can easily imagine NIST > modifying how those are encoded and/or introducing new variations, > after basic algorithms have been picked, leading to things having to > be re-done. > > (Sorry if the quoting is messed up below, if so, it was messed up in > my MUA before I started is my excuse:-) On 16/09/2019 19:06, Daniel > Van Geest wrote: >> Can we support multiple signatures inside a certificate? I don't >> think so. >> >> Why not? Mike’s problem statement draft has two potential >> technical solutions doing just that, each with advantages and >> disadvantages. Or is there more of a logistical or other issue? >> Knowing why you think we can’t support multiple signatures inside a >> certificate could help refine the problem statement. > > Again, that assumes that x.509 is a sensible part of a solution. We > should first question that. (Mike's draft [1] doesn't.) > > Secondly, even if x.509 additions were useful somehow for backwards > compatibility (which I find hard to believe TBH) then dealing with >> 1 certificate is likely far easier than messing about inside certs > and thereby breaking all the lovely/horrible x.509 code out there. So > Mike's section 2.1 [1] is way easier than the 2.[2|3] approaches, > despite it being the one with no specific drafts. > > Again, all that said, I do understand why it may be attractive for > those who produce certificates to argue for putting the PQ magic > beans inside x.509. There are costs elsewhere implied in doing that, > so it ought not be a starting-out assumption. > > I don't consider the question as to why a PQ x.509 is needed nor why > now has been satisfactorily answered so far. > > Cheers, S. > > [1] https://tools.ietf.org/html/draft-pq-pkix-problem-statement > _______________________________________________ Secdispatch mailing > list Secdispatch@ietf.org > https://www.ietf.org/mailman/listinfo/secdispatch >
- Re: [Secdispatch] Problem statement for post-quan… Dr. Pala
- [Secdispatch] Problem statement for post-quantum … Mike Ounsworth
- Re: [Secdispatch] Problem statement for post-quan… Scott Fluhrer (sfluhrer)
- Re: [Secdispatch] Problem statement for post-quan… Stephen Farrell
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Mike Ounsworth
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Stephen Farrell
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Daniel Van Geest
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Panos Kampanakis (pkampana)
- Re: [Secdispatch] Problem statement for post-quan… Kathleen Moriarty
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Mike Ounsworth
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Stephen Farrell
- Re: [Secdispatch] Problem statement for post-quan… Michael Richardson
- Re: [Secdispatch] Problem statement for post-quan… Stephen Farrell
- Re: [Secdispatch] Problem statement for post-quan… Salz, Rich
- Re: [Secdispatch] Problem statement for post-quan… Michael Richardson
- Re: [Secdispatch] Problem statement for post-quan… Mohit Sethi M
- Re: [Secdispatch] Problem statement for post-quan… Ira McDonald
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Mike Ounsworth
- Re: [Secdispatch] Problem statement for post-quan… Daniel Van Geest
- Re: [Secdispatch] Problem statement for post-quan… Stephen Farrell
- Re: [Secdispatch] Problem statement for post-quan… Panos Kampanakis (pkampana)
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Mike Ounsworth
- Re: [Secdispatch] Problem statement for post-quan… Stephen Farrell
- Re: [Secdispatch] Problem statement for post-quan… Ira McDonald
- Re: [Secdispatch] Problem statement for post-quan… Salz, Rich
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Stephen Farrell
- Re: [Secdispatch] Problem statement for post-quan… Ira McDonald
- Re: [Secdispatch] Problem statement for post-quan… Salz, Rich
- Re: [Secdispatch] Problem statement for post-quan… Ira McDonald
- Re: [Secdispatch] Problem statement for post-quan… Douglas Stebila
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Mike Ounsworth
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Stephen Farrell
- Re: [Secdispatch] Problem statement for post-quan… Richard Barnes
- Re: [Secdispatch] Problem statement for post-quan… Michael Richardson
- Re: [Secdispatch] Problem statement for post-quan… Ira McDonald
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Michael Richardson
- Re: [Secdispatch] Problem statement for post-quan… Stephen Farrell
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Mike Ounsworth
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Mike Ounsworth
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Stephen Farrell
- Re: [Secdispatch] Problem statement for post-quan… Martin Thomson
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Phillip Hallam-Baker
- Re: [Secdispatch] Problem statement for post-quan… Phillip Hallam-Baker
- Re: [Secdispatch] [EXTERNAL]Re: Problem statement… Dr. Pala
- Re: [Secdispatch] Problem statement for post-quan… John Mattsson
- Re: [Secdispatch] Problem statement for post-quan… Markku-Juhani O. Saarinen
- Re: [Secdispatch] Problem statement for post-quan… John Mattsson
- Re: [Secdispatch] Problem statement for post-quan… Mike Ounsworth
- Re: [Secdispatch] Problem statement for post-quan… Benjamin Kaduk