[Secdispatch] Problem statement for post-quantum multi-algorithm PKI

Mike Ounsworth <Mike.Ounsworth@entrustdatacard.com> Wed, 11 September 2019 21:11 UTC

Return-Path: <prvs=15098db91=Mike.Ounsworth@entrustdatacard.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3DBED1202DD for <secdispatch@ietfa.amsl.com>; Wed, 11 Sep 2019 14:11:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id AP_WmqteFIxx for <secdispatch@ietfa.amsl.com>; Wed, 11 Sep 2019 14:11:25 -0700 (PDT)
Received: from mx1.entrustdatacard.com (mx1.entrustdatacard.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA797120289 for <secdispatch@ietf.org>; Wed, 11 Sep 2019 14:11:24 -0700 (PDT)
IronPort-SDR: 5hbpcxWcjHWP+nx53qhhqXqjcA1hOQk/cJSvrDhBayocDui/oWhXUY8H+02PXmCd32iNXRtBcH RTWb2d4AtY9g==
X-IronPort-AV: E=Sophos;i="5.64,494,1559538000"; d="scan'208";a="56788060"
Received: from pmspex02.corporate.datacard.com (HELO owa.entrustdatacard.com) ([]) by pmspesa03inside.corporate.datacard.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA384; 11 Sep 2019 16:11:23 -0500
Received: from PMSPEX05.corporate.datacard.com ( by pmspex02.corporate.datacard.com ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 11 Sep 2019 16:11:23 -0500
Received: from PMSPEX05.corporate.datacard.com ([fe80::8084:293e:7f03:4ab2]) by PMSPEX05.corporate.datacard.com ([fe80::8084:293e:7f03:4ab2%12]) with mapi id 15.00.1497.000; Wed, 11 Sep 2019 16:11:23 -0500
From: Mike Ounsworth <Mike.Ounsworth@entrustdatacard.com>
To: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: Problem statement for post-quantum multi-algorithm PKI
Thread-Index: AdVo5XY9fEgsAHwkSEunmRFqOiv5LA==
Date: Wed, 11 Sep 2019 21:11:23 +0000
Message-ID: <2e753a7983bf40b490b4fcbb75550da3@PMSPEX05.corporate.datacard.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/bShD4lyu_cgiS6LeBemGKb8_ZCQ>
Subject: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2019 21:11:27 -0000

Hi SecDispatch,

This got bounced here from LAMPS because the scope is potentially more than a "limited" pkix change, and because this needs multi-WG visibility to decide on a category of solution.

Background / history

The Post-Quantum community (for example, surrounding the NIST PQC competition), is pushing for "hybridized" crypto that combines RSA/ECC with new primitives in order to hedge our bets against both quantum adversaries, and also algorithmic / mathematical breaks of the new primitives.

A year and a half ago, a draft was put to LAMPS for putting PQ public key and signatures into X.509v3 extensions. This draft has been allowed to expire, but is being pursued at the ITU.

Earlier this year, a new draft was put to LAMPS for defining "composite" public key and signature algorithms that, essentially, concatenate multiple crypto algorithms into a single key or signature octet string. This draft stalled in LAMPS over whether it is the correct overall approach.

Now I'm taking a step back and submitting a draft that acts as a semi-formal problem statement, and an overview of the three main categories of solutions.

My Opinion

Personally, I'm fairly agnostic to the chosen solution, but feel that we need some kind of standard(s) around the post-quantum transition for certificates and PKI. Personally, I feel that Composite is mature enough as an idea to standardize as a tool in our toolbox for contexts where it makes sense, even if a different mechanism is preferred for TLS and IPSEC/IKE.

Requested action from SECDISPATCH

1. Feedback on the problem statement draft. https://datatracker.ietf.org/doc/draft-pq-pkix-problem-statement/

2. Discussion of how to progress this.

PS I'm a new IETF'er, please be gentle :P

- - -
Mike Ounsworth | Software Security Architect
Entrust Datacard