Re: [Secdispatch] Clarification Question for the Comment from Eric Rescorla (

Carrick Bartle <cbartle891@icloud.com> Thu, 02 January 2020 19:19 UTC

Return-Path: <cbartle891@icloud.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13081120103 for <secdispatch@ietfa.amsl.com>; Thu, 2 Jan 2020 11:19:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WhQxletSO6lc for <secdispatch@ietfa.amsl.com>; Thu, 2 Jan 2020 11:19:51 -0800 (PST)
Received: from mr85p00im-ztdg06011201.me.com (mr85p00im-ztdg06011201.me.com [17.58.23.181]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45C941200CD for <secdispatch@ietf.org>; Thu, 2 Jan 2020 11:19:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1577992790; bh=rOseGqQWtVKlVFaxeuXTCTJma5EFPnooOweYaOHRp50=; h=From:Message-Id:Content-Type:Subject:Date:To; b=LhyAo+8eY2tkyZDjQYnSBmlKLo4eGMWp7Y4emQlHSSarr434xL4nsHrWYrQDjXtX/ OXjZWYTno1fPvloMMA2bIBo3XEjDOdWJTETYXVVamD3be+8erkzPRmApOXQ8kiwMcD Iz3hh38x8ORUS2gKOrS4oZwbDUggaTmoE/YvYJLSjohDm7N6KiSj1BO2sDdz3ffBXq esx8vHUqoTERMbAOdZYB42Q4O0fHDLU6Wi2+ieRTJDXpZIO4mCn3oQ0TOxDKcMU1Vl zV83pwaRxrBwrITSEFbKnjpYBZx9j8FhVWvAqkcWj7eWEE5v77izZLR+ZmN2ztbFof oqGKkbLm2CG/g==
Received: from [17.230.160.114] (unknown [17.230.160.114]) by mr85p00im-ztdg06011201.me.com (Postfix) with ESMTPSA id 63FB1400A7D; Thu, 2 Jan 2020 19:19:50 +0000 (UTC)
From: Carrick Bartle <cbartle891@icloud.com>
Message-Id: <DB512B60-8851-480A-98DE-73CF6336DC08@icloud.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_40EA03CC-C47F-4B5C-BD51-3003BEBDE6DC"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.3\))
Date: Thu, 2 Jan 2020 11:19:49 -0800
In-Reply-To: <CABcZeBOCwqhZjDmVqFUK4CmYX-=-BxT6sjrj4AUUFtZ_ZAw_aQ@mail.gmail.com>
Cc: "Dr. Pala" <madwolf@openca.org>, "Salz, Rich" <rsalz@akamai.com>, IETF SecDispatch <secdispatch@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: Eric Rescorla <ekr@rtfm.com>
References: <12eed4ff-edd2-7f70-9460-fc86dcbab927@openca.org> <CABcZeBPbAgBfC6Et+OKQi2=GwsyeyKEKfW5GG=StUepQwy+f0g@mail.gmail.com> <7999ebac-c9c1-eb4f-d9f7-2ba814a3b331@cs.tcd.ie> <78997490-c5ae-c856-6e26-0f79c7733ca3@openca.org> <CABcZeBM5WgpcBP4axBvzWaxKU=JA-K-4qiVxhhO1+HzFf246aw@mail.gmail.com> <95B2FAB7-66FA-44F2-84F8-FA23737AA38F@akamai.com> <CABcZeBM06FEiMkDVhOPnQggHCG7DeOVkNLNn1w2wDnhy6rJuhg@mail.gmail.com> <07119213-1702-4742-A34F-EDEDBF294FCF@icloud.com> <CABcZeBO7DSn3vaghfk5ADSEM-Wx50HtQHtN_OKNk5zeWkuXJ0Q@mail.gmail.com> <3FFD9FD4-10E3-41B5-B086-A0AF17EF6899@icloud.com> <CABcZeBOCwqhZjDmVqFUK4CmYX-=-BxT6sjrj4AUUFtZ_ZAw_aQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.3)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-02_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-2001020156
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/p99wvPhvmUngxgmahEhVhK4mffg>
Subject: Re: [Secdispatch] Clarification Question for the Comment from Eric Rescorla (
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jan 2020 19:19:53 -0000

> What "start over" means in this case is get to the point where there is a critical mass of client and server deployment, a process which takes time.


I see.

> I think not, at least for TLS. The consensus of implementors seems to be that it's better to just cast composite algorithms as if they were new DH groups, so there's not a huge amount of leverage in a generic mechanism.


My understanding is that the Cloudflare-Google implementation generated two separate shared secrets. Also this draft references several different "ad hoc" approaches in implementations: https://tools.ietf.org/html/draft-stebila-tls-hybrid-design-01 <https://tools.ietf.org/html/draft-stebila-tls-hybrid-design-01>.

Carrick


> On Jan 2, 2020, at 10:50 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Thu, Jan 2, 2020 at 10:45 AM Carrick Bartle <cbartle891@icloud.com <mailto:cbartle891@icloud.com>> wrote:
>> it's not useful to be prepared in that fashion
>> unless the algorithm that you are deploying is the one that is
>> eventually selected, because otherwise you just have to start over
>> once the selection is made.
> 
> Just to be specific, do you mean, for instance, all the certificates with the PQ algorithm that wasn't chosen would have to be revoked?
> 
> Probably not. 
> 
> At a high level, there are two possible designs:
> 
> 1. A certificate which has a composite signature in place of the classical signature and thus cannot be validated by old clients.
> 2. A certificate which has a PQ signature somehow attached in a way that it leaves the classical signature valid (as in an extension).
> 
> In the former case, every server would need two certificates (one composite and one classical) and use signature_algorithms to distinguish which one to use. Once clients stopped liking the old PQ algorithm, then those composite certificates would become irrelevant and just be unused. In the latter case, the certificates would continue to be valid and the client could just ignore the PQ part of the signature.
> 
> What "start over" means in this case is get to the point where there is a critical mass of client and server deployment, a process which takes time.
> 
>> the primary rationale for doing composite key exchange now is to
>> defend against retrospective attacks in case a quantum computer exists
>> in the future. In this setting, it isn't critically important to have
>> the PQ algorithm be the one we eventually land on, because each
>> connection is separately negotiated and as long as the PQ algorithm
>> has some security, you're getting benegit,.
> 
> 
> In that case, would it make sense to take the next step with drafting an intended standard for composite key exchanges (that is PQ algorithm-agnostic)? If not, why not?
> 
> I think not, at least for TLS. The consensus of implementors seems to be that it's better to just cast composite algorithms as if they were new DH groups, so there's not a huge amount of leverage in a generic mechanism.
> 
> -Ekr
> 
> Carrick
> 
> 
> 
> 
>> On Dec 25, 2019, at 5:57 PM, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>> 
>> On Mon, Dec 23, 2019 at 8:38 PM Carrick Bartle <cbartle891@icloud.com <mailto:cbartle891@icloud.com>> wrote:
>> > How can it be true that it's too early to start developing a protocol
>> > for composite keys and signatures for Web PKI when Cloudflare and
>> > Google have already finished a round of experiments with composite key
>> > exchanges? Maybe I'm reading too much into it, but the existence of
>> > those experiments suggested to me that the need for composite/composite
>> > implementations was imminent. (I understand that the draft in question
>> > concerns signatures, not key exchanges, but apparently there isn't
>> > even a draft for the latter yet.)
>> 
>> ISTM that these cases are pretty different, in a number of respects.
>> 
>> First, the primary rationale for doing composite key exchange now is to
>> defend against retrospective attacks in case a quantum computer exists
>> in the future. In this setting, it isn't critically important to have
>> the PQ algorithm be the one we eventually land on, because each
>> connection is separately negotiated and as long as the PQ algorithm
>> has some security, you're getting benegit,.
>> 
>> The primary rationale for doing PQ authentication now (or for that
>> matter composite authentication) is to be prepared for the day when QC
>> exists and we are therefore unable to rely on classical
>> algorithms. However, it's not useful to be prepared in that fashion
>> unless the algorithm that you are deploying is the one that is
>> eventually selected, because otherwise you just have to start over
>> once the selection is made.
>> 
>> Moreover, in order to be truly prepared, what you need isn't
>> principally relying party deployment, but rather authenticating party
>> (in the case of the WebPKI, server-side) deployment. The reason for
>> this is that in the world where a QC exists, you don't have protection
>> until the relying party refuses to accept the classical credential
>> [0], and at present, any client which does so will effectively be
>> unable to communicate. And in order to make that happen, relying
>> parties will have to require a post-quantum algorithm (most likely as
>> a composite) and that's something I don't expect them to be willing to do
>> until there's widespread agreement on what that algorithm should be.
>> 
>> 
>> > If not now, when? After NIST crowns a winner? I don't see why it's
>> > necessary to wait that long given that the proposed solutions are
>> > algorithm-independent. And since the standardization process takes a
>> > while, won't waiting until then mean that there won't be a standard
>> > until after it's needed?
>> 
>> No, i don't think so.
>> 
>> For the reasons above, ISTM that real deployment will have to wait
>> until we have a selected algorithm. One could, as you suggest, deploy
>> some sort of multi-algorithm container, but IMO we will be far better
>> off just deploying new composite algorithms as if the were single
>> new algorithms, in the same way as we have done for key establishment.
>> 
>> For this reason, I think we ought to wait until there is a consensus
>> PQ signature algorithm, at least for the WebPKI.
>> 
>> -Ekr
>> 
>> [0] This is why this kind of composite isn't helpful in the world
>> where a secret QC exists not.
>> 
>> 
>> _______________________________________________
>> Secdispatch mailing list
>> Secdispatch@ietf.org <mailto:Secdispatch@ietf.org>
>> https://www.ietf.org/mailman/listinfo/secdispatch <https://www.ietf.org/mailman/listinfo/secdispatch>