Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI

["Dr. Pala" <madwolf@openca.org>]

Hi SecDispatch, Mike,

Our industry (Cable) is working on this problem already - some of our 
members have started investigating few things in the post-quantum field 
and in particular how to protect our PKIs in this uncertain environment.

With few billions certificates issued across the industry, we heavily 
rely on certificates for device authentication and, therefore, we need 
to work on a solution today.

For us, the use of Composite Crypto is quite an interesting path to 
pursue because it provides an easy way to protect today our PKIs against 
the factorization threat (not only certificates, but all the data 
structures for PKIX) thus allowing to verify the authentication with 
Post-Quantum algorithms when we will need to make the switch (deferred 
Algorithm Agility).

We intend to support this idea and actively deploy it for our PKIs and 
eventually expand the adoption of this approach in other environments we 
are engaged in (e.g., medical devices, cellular networks, WiFi Alliance 
and WBA, etc.)

Looking forward to find a good home for this project within the IETF - a 
simple but powerful tool for our "PKI toolboxes"

Cheers,
Max


> Hi SecDispatch,
>
> This got bounced here from LAMPS because the scope is potentially more than a "limited" pkix change, and because this needs multi-WG visibility to decide on a category of solution.
>
>
>
> Background / history
> --------------------
>
> The Post-Quantum community (for example, surrounding the NIST PQC competition), is pushing for "hybridized" crypto that combines RSA/ECC with new primitives in order to hedge our bets against both quantum adversaries, and also algorithmic / mathematical breaks of the new primitives.
>
>
> A year and a half ago, a draft was put to LAMPS for putting PQ public key and signatures into X.509v3 extensions. This draft has been allowed to expire, but is being pursued at the ITU.
> https://datatracker.ietf.org/doc/draft-truskovsky-lamps-pq-hybrid-x509/
>
>
> Earlier this year, a new draft was put to LAMPS for defining "composite" public key and signature algorithms that, essentially, concatenate multiple crypto algorithms into a single key or signature octet string. This draft stalled in LAMPS over whether it is the correct overall approach.
> https://datatracker.ietf.org/doc/draft-ounsworth-pq-composite-sigs/
>
>
> Now I'm taking a step back and submitting a draft that acts as a semi-formal problem statement, and an overview of the three main categories of solutions.
> https://datatracker.ietf.org/doc/draft-pq-pkix-problem-statement/
>
>
>
>
> My Opinion
> ----------
>
> Personally, I'm fairly agnostic to the chosen solution, but feel that we need some kind of standard(s) around the post-quantum transition for certificates and PKI. Personally, I feel that Composite is mature enough as an idea to standardize as a tool in our toolbox for contexts where it makes sense, even if a different mechanism is preferred for TLS and IPSEC/IKE.
>
>
>
>
> Requested action from SECDISPATCH
> ---------------------------------
>
> 1. Feedback on the problem statement draft.https://datatracker.ietf.org/doc/draft-pq-pkix-problem-statement/
>
> 2. Discussion of how to progress this.
>
>
>
>
> PS I'm a new IETF'er, please be gentle :P
>
> Thanks,
> - - -
> Mike Ounsworth | Software Security Architect
> Entrust Datacard

-- 
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo