Re: [Secdispatch] Clarification Question for the Comment from Eric Rescorla (

Carrick Bartle <cbartle891@icloud.com> Thu, 02 January 2020 18:45 UTC

Return-Path: <cbartle891@icloud.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40D1D120122 for <secdispatch@ietfa.amsl.com>; Thu, 2 Jan 2020 10:45:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NJYe-YscZJE for <secdispatch@ietfa.amsl.com>; Thu, 2 Jan 2020 10:45:35 -0800 (PST)
Received: from mr85p00im-ztdg06011901.me.com (mr85p00im-ztdg06011901.me.com [17.58.23.198]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F8AC12012A for <secdispatch@ietf.org>; Thu, 2 Jan 2020 10:45:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1577990722; bh=IUtz6fs7qFSkrtFqe1QLKl0/ShW/PWzuTj/H3kKKBKY=; h=From:Message-Id:Content-Type:Subject:Date:To; b=EngI/GGDjq0DmWFtgw8VKfTQB6yosrHRzNHLMcUGLlJxgg2VFCnJPUCdQTBeagi9j 9iET5EbM4qb+Hex4UnFtfxGcXg5VyW9mPVsnxvs0PV7pDdACCadadsBNLaV8gVgQbr nXi5zZselj5Yk+elb9aZ/K9b/hCDDERkZPi1Z6E1EYPguTygDPGvSV6KHa5ztZNy8A u5NpwmNaIoEFmh35cUvHpWaqabj7bKVBs8MqNAyEIELV4OSbroP8bgx8mXGTf/bdbb 9TKeKXEJbx3kYdH6UWxrdPCjPtW8+iq/RvAn5Eh8vcEaFFu+jT/0S2BcH7g6nydeCz WC0BozY9TNDQQ==
Received: from [17.230.160.114] (unknown [17.230.160.114]) by mr85p00im-ztdg06011901.me.com (Postfix) with ESMTPSA id A00E1A60A57; Thu, 2 Jan 2020 18:45:22 +0000 (UTC)
From: Carrick Bartle <cbartle891@icloud.com>
Message-Id: <3FFD9FD4-10E3-41B5-B086-A0AF17EF6899@icloud.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CBFF9AB2-7EFA-409C-9520-796191E7E393"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.3\))
Date: Thu, 2 Jan 2020 10:45:21 -0800
In-Reply-To: <CABcZeBO7DSn3vaghfk5ADSEM-Wx50HtQHtN_OKNk5zeWkuXJ0Q@mail.gmail.com>
Cc: "Dr. Pala" <madwolf@openca.org>, "Salz, Rich" <rsalz@akamai.com>, IETF SecDispatch <secdispatch@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: Eric Rescorla <ekr@rtfm.com>
References: <12eed4ff-edd2-7f70-9460-fc86dcbab927@openca.org> <CABcZeBPbAgBfC6Et+OKQi2=GwsyeyKEKfW5GG=StUepQwy+f0g@mail.gmail.com> <7999ebac-c9c1-eb4f-d9f7-2ba814a3b331@cs.tcd.ie> <78997490-c5ae-c856-6e26-0f79c7733ca3@openca.org> <CABcZeBM5WgpcBP4axBvzWaxKU=JA-K-4qiVxhhO1+HzFf246aw@mail.gmail.com> <95B2FAB7-66FA-44F2-84F8-FA23737AA38F@akamai.com> <CABcZeBM06FEiMkDVhOPnQggHCG7DeOVkNLNn1w2wDnhy6rJuhg@mail.gmail.com> <07119213-1702-4742-A34F-EDEDBF294FCF@icloud.com> <CABcZeBO7DSn3vaghfk5ADSEM-Wx50HtQHtN_OKNk5zeWkuXJ0Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-02_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-2001020154
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/RDGvr9yoKx7a7A7AzrXyikz7Ymc>
Subject: Re: [Secdispatch] Clarification Question for the Comment from Eric Rescorla (
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jan 2020 18:45:39 -0000

> it's not useful to be prepared in that fashion
> unless the algorithm that you are deploying is the one that is
> eventually selected, because otherwise you just have to start over
> once the selection is made.

Just to be specific, do you mean, for instance, all the certificates with the PQ algorithm that wasn't chosen would have to be revoked?

> the primary rationale for doing composite key exchange now is to
> defend against retrospective attacks in case a quantum computer exists
> in the future. In this setting, it isn't critically important to have
> the PQ algorithm be the one we eventually land on, because each
> connection is separately negotiated and as long as the PQ algorithm
> has some security, you're getting benegit,.


In that case, would it make sense to take the next step with drafting an intended standard for composite key exchanges (that is PQ algorithm-agnostic)? If not, why not?

Carrick




> On Dec 25, 2019, at 5:57 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> On Mon, Dec 23, 2019 at 8:38 PM Carrick Bartle <cbartle891@icloud.com <mailto:cbartle891@icloud.com>> wrote:
> > How can it be true that it's too early to start developing a protocol
> > for composite keys and signatures for Web PKI when Cloudflare and
> > Google have already finished a round of experiments with composite key
> > exchanges? Maybe I'm reading too much into it, but the existence of
> > those experiments suggested to me that the need for composite/composite
> > implementations was imminent. (I understand that the draft in question
> > concerns signatures, not key exchanges, but apparently there isn't
> > even a draft for the latter yet.)
> 
> ISTM that these cases are pretty different, in a number of respects.
> 
> First, the primary rationale for doing composite key exchange now is to
> defend against retrospective attacks in case a quantum computer exists
> in the future. In this setting, it isn't critically important to have
> the PQ algorithm be the one we eventually land on, because each
> connection is separately negotiated and as long as the PQ algorithm
> has some security, you're getting benegit,.
> 
> The primary rationale for doing PQ authentication now (or for that
> matter composite authentication) is to be prepared for the day when QC
> exists and we are therefore unable to rely on classical
> algorithms. However, it's not useful to be prepared in that fashion
> unless the algorithm that you are deploying is the one that is
> eventually selected, because otherwise you just have to start over
> once the selection is made.
> 
> Moreover, in order to be truly prepared, what you need isn't
> principally relying party deployment, but rather authenticating party
> (in the case of the WebPKI, server-side) deployment. The reason for
> this is that in the world where a QC exists, you don't have protection
> until the relying party refuses to accept the classical credential
> [0], and at present, any client which does so will effectively be
> unable to communicate. And in order to make that happen, relying
> parties will have to require a post-quantum algorithm (most likely as
> a composite) and that's something I don't expect them to be willing to do
> until there's widespread agreement on what that algorithm should be.
> 
> 
> > If not now, when? After NIST crowns a winner? I don't see why it's
> > necessary to wait that long given that the proposed solutions are
> > algorithm-independent. And since the standardization process takes a
> > while, won't waiting until then mean that there won't be a standard
> > until after it's needed?
> 
> No, i don't think so.
> 
> For the reasons above, ISTM that real deployment will have to wait
> until we have a selected algorithm. One could, as you suggest, deploy
> some sort of multi-algorithm container, but IMO we will be far better
> off just deploying new composite algorithms as if the were single
> new algorithms, in the same way as we have done for key establishment.
> 
> For this reason, I think we ought to wait until there is a consensus
> PQ signature algorithm, at least for the WebPKI.
> 
> -Ekr
> 
> [0] This is why this kind of composite isn't helpful in the world
> where a secret QC exists not.
> 
> 
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch