Re: [Secdispatch] [EXTERNAL]Re: Problem statement for post-quantum multi-algorithm PKI

Mike Ounsworth <> Tue, 17 September 2019 14:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 37BBA1200D8 for <>; Tue, 17 Sep 2019 07:51:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EzlqHPu63eEE for <>; Tue, 17 Sep 2019 07:51:18 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3A3E8120059 for <>; Tue, 17 Sep 2019 07:51:18 -0700 (PDT)
IronPort-SDR: m1nfUXs/FrnaSxWUC5Yfsf941s+RcNQN+MXpWcb0FsHOwXewTPvFSpqf/7wquoPASHzebeD400 VFJvFGyTubPw==
X-IronPort-AV: E=Sophos;i="5.64,516,1559538000"; d="scan'208";a="57174841"
Received: from (HELO ([]) by with ESMTP/TLS/ECDHE-RSA-AES256-SHA384; 17 Sep 2019 09:51:17 -0500
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 17 Sep 2019 09:51:17 -0500
Received: from ([fe80::8084:293e:7f03:4ab2]) by ([fe80::8084:293e:7f03:4ab2%12]) with mapi id 15.00.1497.000; Tue, 17 Sep 2019 09:51:17 -0500
From: Mike Ounsworth <>
To: Stephen Farrell <>, "" <>
Thread-Topic: [EXTERNAL]Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI
Thread-Index: AQHVaqTmZcXGWCwcF0WYVOY/XovtiqctBL+AgAAdxQCAAf8UgP//rotggABhqQCAAMaPYA==
Date: Tue, 17 Sep 2019 14:51:17 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-CA, en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Secdispatch] [EXTERNAL]Re: Problem statement for post-quantum multi-algorithm PKI
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Sep 2019 14:51:21 -0000

Hi Stephen,

I want to point out that while this discussion and existing came from LAMPS, and therefore are X.509 / PKIX in nature, the "Composite" proposal in my Problem Statement draft is lower level than X.509 and could be applied to any protocol that uses octet strings for public keys and signatures.

I've posted a new version with minor tweaks to make that more clear.

- - -
Mike Ounsworth | Office: +1 (613) 270-2873

-----Original Message-----
From: Stephen Farrell <> 
Sent: Monday, September 16, 2019 4:57 PM
To: Mike Ounsworth <>om>;
Subject: Re: [EXTERNAL]Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI


On 16/09/2019 22:37, Mike Ounsworth wrote:
> Hi Stephen,
> I feel like we're arguing in circles here and not making any progress.

I don't think we're arguing in circles. (When one of us says that again, you may have a case:-)

> Re: figuring out "hybrid signature authentication" in parallel with 
> NIST; You seem to be implying that we can't work on defining message 
> structures to hold multiple keys and signatures until we know the 
> exact encodings of the NIST winners. I'm not sure I follow the reason 
> why.

"can't work" is not what I said. I argued it'd be unwise. My experience of the output of NIST competitions is that it seems often followed by a year or so of confusion as to how to represent algorithm parameters and as to how many variants of algorithms are defined. I also recall the NULL AlgorithmIdentifier parameters fun with x.509 going on for years. I bet if you went to stackexchange you'd find quite recent questions resulting from that decades old lack of clarity in defining such things.

> Currently, something like, for example, CMS (RFC 5652)  is abstracted 
> away from the encodings of a given algorithm; an algorithm can choose 
> any method it wishes to turn its public key and signature into an 
> octet string; how it does it is an internal detail of the algorithm 
> and has no bearing on the CMS spec. This is abstraction between 
> protocol and crypto is a core part of crypto agility. Surely we can 
> start thinking about how to properly combine multiple signatures 
> before we know exactly what those signatures will be.

Sure, chatting about that last is fine and I'm happy to engage.
Starting from an assumption that that mixing is done inside x.509 is begging the question though.

> Re: "Why X.509?" You seem to be expecting me to justify why X.509 is 
> worth keeping. I'm expecting you to propose an alternative and justify 
> why it's better. We're at a stalemate.

No. We're keeping x.509 (sadly:-). Yes, I'm asking for reasons why it is necessary to modify x.509 for a PQ PKI. If you don't have any argument to that effect that's fine, you're then arguing that this design is easier for you. That's a sane argument for what could be considered a not-sane outcome:-)

> Since X.509 is the accepted standard, I think the ball's in your court 
> here to justify why it should be binned.

Multiple algs/keys per cert requires everyone who uses
x.509 now to change. That is not warranted by wishes for a PQ PKI at this point, and perhaps never.

That and it's an ~30 year old not very good technology, so yeah, maybe I'm just fed up with it having first written code for x.509 in about 1992;-)


> - - - Mike Ounsworth | Office: +1 (613) 270-2873
> -----Original Message----- From: Secdispatch 
> <> On Behalf Of Stephen Farrell Sent:
> Monday, September 16, 2019 3:59 PM To: Subject:
> [EXTERNAL]Re: [Secdispatch] Problem statement for post-quantum 
> multi-algorithm PKI
> Hiya,
> Replying to various folks at once...
> On 15/09/2019 15:29, Ira McDonald wrote:
>> Hi,
>> Thanks for the link to Kenny's talk.
>> Stephen - The hard problem for automotive vehicles is that, even if  
>> Quantum Computing never comes to pass, algorithms and various 
>> implementations go on having new weaknesses found over time. But 
>> decent performance requires hardware assist, in many cases. But 
>> automotive ECUs are very unlikely to start have large FPGAs added 
>> soon.  Replacing 100s of expensive ECUs in fielded vehicles to allow 
>> practical algorithm agility is not going to happen.  This issue that 
>> Michael Richardson mentioned is at the top of the list for the 
>> automotive cybersecurity community.
> I don't understand how devices that are not going to be updated can 
> support algorithm agility. Perhaps you mean that you want to deploy 
> those devices soon and not update for a couple of decades or 
> something? If so, that sound like a bad plan to me, and one that'd be 
> better to not cater to really. (RFC8240 has lots of discussion of
> that.)
> On 16/09/2019 17:05, Mike Ounsworth wrote:
>> My Goal: multi-vendor interop on PQ certificates.
> That seems to beg the question again as to why x.509 is needed at all 
> as part of a PQ solution.
>> I'm coming from the perspective of a CA; it can take years to 
>> distribute a root cert to all the places it needs to be before you 
>> can really start using it. Plus, people want to playing with these 
>> things ASAP to understand the scope of infrastructure changes 
>> required. There's the time pressure.
>> I think you're right that to really deploy any meaningful 20 year 
>> root using, for example the small lattice schemes, we'll need to wait 
>> for the NIST PQC algs to stop having so much churn.
>> That said, laying the groundwork for the "hybrid" property in 
>> certificates that the NIST PQC community is calling for will require 
>> much debate and a few RFCs. This work is necessary and independent of 
>> the choice of algorithm from the NIST PQC competition, so why should 
>> we wait until 2023 to _start_ thinking about it? Why not do it in 
>> parallel, be able to offer alpha test versions of PKI products before 
>> the conclusion of the NIST PQC, and be ready to drop-in the NIST 
>> winners the day they're ready?
> One reason to not do it in parallel is that we don't know how the 
> winning algorithm parameters will look. I can easily imagine NIST 
> modifying how those are encoded and/or introducing new variations, 
> after basic algorithms have been picked, leading to things having to 
> be re-done.
> (Sorry if the quoting is messed up below, if so, it was messed up in 
> my MUA before I started is my excuse:-) On 16/09/2019 19:06, Daniel 
> Van Geest wrote:
>> Can we support multiple signatures inside a certificate? I don't 
>> think so.
>> Why not?  Mike’s problem statement draft has two potential technical 
>> solutions doing just that, each with advantages and disadvantages. Or 
>> is there more of a logistical or other issue?
>> Knowing why you think we can’t support multiple signatures inside a 
>> certificate could help refine the problem statement.
> Again, that assumes that x.509 is a sensible part of a solution. We 
> should first question that. (Mike's draft [1] doesn't.)
> Secondly, even if x.509 additions were useful somehow for backwards 
> compatibility (which I find hard to believe TBH) then dealing with
>> 1 certificate is likely far easier than messing about inside certs
> and thereby breaking all the lovely/horrible x.509 code out there. So 
> Mike's section 2.1 [1] is way easier than the 2.[2|3] approaches, 
> despite it being the one with no specific drafts.
> Again, all that said, I do understand why it may be attractive for 
> those who produce certificates to argue for putting the PQ magic beans 
> inside x.509. There are costs elsewhere implied in doing that, so it 
> ought not be a starting-out assumption.
> I don't consider the question as to why a PQ x.509 is needed nor why 
> now has been satisfactorily answered so far.
> Cheers, S.
> [1]