Re: [Secdispatch] Clarification Question for the Comment from Eric Rescorla (
Eric Rescorla <ekr@rtfm.com> Thu, 26 December 2019 01:58 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 989AF1200DE for <secdispatch@ietfa.amsl.com>; Wed, 25 Dec 2019 17:58:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2pyVwvtfX8yd for <secdispatch@ietfa.amsl.com>; Wed, 25 Dec 2019 17:57:58 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 064BF1200B5 for <secdispatch@ietf.org>; Wed, 25 Dec 2019 17:57:58 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id a13so23621155ljm.10 for <secdispatch@ietf.org>; Wed, 25 Dec 2019 17:57:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=59mm5u8OJ3JQK/NstsGDyAKnRO8OOAqAcl5FvuICpdo=; b=CJMijBSB8egxURCPZoJgexiByU52GCcZIJPcpjgIOfqcXVTAGG0dDagPPaFNlWUnu0 UYAQDsWlXORLm6DC0qfe5BtCTifySQLgIOA0Pl0GEGevkdG62yJNlKFA2y0LZ0w3pMB/ B5YR4qF/Mhl+o1q9DBMd4Ly3eF30nvcyQ5h/Ea6ogZLCUu/yx1Ti061JMxTnFONm6k8c wOV6fLZaDr3nt29AYCdCS5yX9FHGBbryyEl+uQuzQeS4Uv7NEjE4HONJ5qQ6cLaXhVuF m+X0o/D/BOIrA9Gld7u33o3Yf5WzwzvSRUJlH/NZUC+zlFRdykNS0iEJPUu+dwM1h9Zi Z8Qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=59mm5u8OJ3JQK/NstsGDyAKnRO8OOAqAcl5FvuICpdo=; b=T2U0RRkJNmWhhv4q8ycRPpS3oA4sHZmeRVh/R+tB/fe8oOeQ8/VnouJqgO3W5gaUhX JcwAdZzTXitQfjYWOwWzT+QL9TCRpptgEdAFR0YBB+hQEEjEQtOwSsaYHogiuZ0cVrpL 8UAPd0I2aqPvc8m1mQQXyq1eI5WxZvG0e5TXHi0WigbQRJaUaPMzm70/ZBtOJod4n/d6 uH1m4HGcHawhWII8dpnlZKndW6FzfbZvyFeq/vL7vEWeOriUL/LkEeuf5FF0Vy37M2HH Jcrq8US+icFF/BOq3JVnRD91zT1Cfel+Kg6BUpvwS53Rg0VvvYE3PXe7xW0ngCrUSMNr l9Bg==
X-Gm-Message-State: APjAAAUsqbhLWGFeX7VIJNTV6yURNj8oUkKZQx+3fKtyKkqaoQmHzv76 fKfO2E/unkMHkqt9BeKgtK3oYNiV609u1Trp/snedA==
X-Google-Smtp-Source: APXvYqz1bJgIjdBLLAnMmHzA2A2SqcFWTzR7yYkGDwRwf3eXqQmjEWiOKANnwT8m0nmr87I0zAoWbY+rFHSnHPVlrNA=
X-Received: by 2002:a2e:95c4:: with SMTP id y4mr24661644ljh.38.1577325476077; Wed, 25 Dec 2019 17:57:56 -0800 (PST)
MIME-Version: 1.0
References: <12eed4ff-edd2-7f70-9460-fc86dcbab927@openca.org> <CABcZeBPbAgBfC6Et+OKQi2=GwsyeyKEKfW5GG=StUepQwy+f0g@mail.gmail.com> <7999ebac-c9c1-eb4f-d9f7-2ba814a3b331@cs.tcd.ie> <78997490-c5ae-c856-6e26-0f79c7733ca3@openca.org> <CABcZeBM5WgpcBP4axBvzWaxKU=JA-K-4qiVxhhO1+HzFf246aw@mail.gmail.com> <95B2FAB7-66FA-44F2-84F8-FA23737AA38F@akamai.com> <CABcZeBM06FEiMkDVhOPnQggHCG7DeOVkNLNn1w2wDnhy6rJuhg@mail.gmail.com> <07119213-1702-4742-A34F-EDEDBF294FCF@icloud.com>
In-Reply-To: <07119213-1702-4742-A34F-EDEDBF294FCF@icloud.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 25 Dec 2019 17:57:19 -0800
Message-ID: <CABcZeBO7DSn3vaghfk5ADSEM-Wx50HtQHtN_OKNk5zeWkuXJ0Q@mail.gmail.com>
To: Carrick Bartle <cbartle891@icloud.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, "Dr. Pala" <madwolf@openca.org>, IETF SecDispatch <secdispatch@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="000000000000b2780b059a91b49c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/Po_nRj4xgB4mDK7S3pbZ9zgc5iI>
Subject: Re: [Secdispatch] Clarification Question for the Comment from Eric Rescorla (
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Dec 2019 01:58:01 -0000
On Mon, Dec 23, 2019 at 8:38 PM Carrick Bartle <cbartle891@icloud.com> wrote: > How can it be true that it's too early to start developing a protocol > for composite keys and signatures for Web PKI when Cloudflare and > Google have already finished a round of experiments with composite key > exchanges? Maybe I'm reading too much into it, but the existence of > those experiments suggested to me that the need for composite/composite > implementations was imminent. (I understand that the draft in question > concerns signatures, not key exchanges, but apparently there isn't > even a draft for the latter yet.) ISTM that these cases are pretty different, in a number of respects. First, the primary rationale for doing composite key exchange now is to defend against retrospective attacks in case a quantum computer exists in the future. In this setting, it isn't critically important to have the PQ algorithm be the one we eventually land on, because each connection is separately negotiated and as long as the PQ algorithm has some security, you're getting benegit,. The primary rationale for doing PQ authentication now (or for that matter composite authentication) is to be prepared for the day when QC exists and we are therefore unable to rely on classical algorithms. However, it's not useful to be prepared in that fashion unless the algorithm that you are deploying is the one that is eventually selected, because otherwise you just have to start over once the selection is made. Moreover, in order to be truly prepared, what you need isn't principally relying party deployment, but rather authenticating party (in the case of the WebPKI, server-side) deployment. The reason for this is that in the world where a QC exists, you don't have protection until the relying party refuses to accept the classical credential [0], and at present, any client which does so will effectively be unable to communicate. And in order to make that happen, relying parties will have to require a post-quantum algorithm (most likely as a composite) and that's something I don't expect them to be willing to do until there's widespread agreement on what that algorithm should be. > If not now, when? After NIST crowns a winner? I don't see why it's > necessary to wait that long given that the proposed solutions are > algorithm-independent. And since the standardization process takes a > while, won't waiting until then mean that there won't be a standard > until after it's needed? No, i don't think so. For the reasons above, ISTM that real deployment will have to wait until we have a selected algorithm. One could, as you suggest, deploy some sort of multi-algorithm container, but IMO we will be far better off just deploying new composite algorithms as if the were single new algorithms, in the same way as we have done for key establishment. For this reason, I think we ought to wait until there is a consensus PQ signature algorithm, at least for the WebPKI. -Ekr [0] This is why this kind of composite isn't helpful in the world where a secret QC exists not. >
- [Secdispatch] Clarification Question for the Comm… Dr. Pala
- Re: [Secdispatch] Clarification Question for the … Eric Rescorla
- Re: [Secdispatch] Clarification Question for the … Stephen Farrell
- Re: [Secdispatch] Clarification Question for the … Dr. Pala
- Re: [Secdispatch] Clarification Question for the … Eric Rescorla
- Re: [Secdispatch] Clarification Question for the … Salz, Rich
- Re: [Secdispatch] Clarification Question for the … Eric Rescorla
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Mike Ounsworth
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Stephen Farrell
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Panos Kampanakis (pkampana)
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Stephen Farrell
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Eric Rescorla
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Stephen Farrell
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Michael Richardson
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Panos Kampanakis (pkampana)
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Mike Ounsworth
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Michael Richardson
- Re: [Secdispatch] Clarification Question for the … Carrick Bartle
- Re: [Secdispatch] Clarification Question for the … Eric Rescorla
- Re: [Secdispatch] Clarification Question for the … Carrick Bartle
- Re: [Secdispatch] Clarification Question for the … Eric Rescorla
- Re: [Secdispatch] Clarification Question for the … Carrick Bartle
- Re: [Secdispatch] Clarification Question for the … Eric Rescorla
- Re: [Secdispatch] Clarification Question for the … Douglas Stebila
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Mike Ounsworth
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Eric Rescorla
- Re: [Secdispatch] [EXTERNAL]Re: Clarification Que… Mike Ounsworth