IETF Logo Mail Archive

Re: [lamps] Current efforts in the direction of draft-truskovsky-lamps-pq-hybrid-x509?

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 18 July 2023 16:35 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F433C14CE2E for <spasm@ietfa.amsl.com>; Tue, 18 Jul 2023 09:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IToHpdQMBpCF for <spasm@ietfa.amsl.com>; Tue, 18 Jul 2023 09:35:42 -0700 (PDT)
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04on2110.outbound.protection.outlook.com [40.107.102.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC213C14CF05 for <spasm@ietf.org>; Tue, 18 Jul 2023 09:35:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TqU4QKanPJ96lnB05JROsLkEr+6/xljQczin8LVMmmajVGHohaLPcGEFPfsDGHx84QYnD+PsvRQhStIWvDHJuBsANoUBqotpJ+obfecZiJubs1RObT/IxRjI2iYrSoLK7mFufddDy54h3dAtQsxj3FxWfm38tZcUHTLUnR3YuCYpQ8FdurVAcsYiD7i5Sd4n99mV4woNpmXvltJ1uKK88d0D2sxHZL1URP02oY5cDojd94MfT27ClwGj1AapfwhPaHvHKAMjCWOLh2TFjVsA5OfIcswM4O6fGBnVkC2may+3qRPTvewYv85TKZKVkonFAc+v1A25phslMDoe9OQWAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=or5eKtfBEUkJxqM9q8/mdpwoddkvr4bGrfOxpsM+gvY=; b=izg7Hpx8ROoOeJDY5ZIyGS9dt41fQ2t5wjMH6STFaPlYXKHsq1QnPJjWX92drq2bb2va82q5YeEbUTxf/2p0lzQKatxHuxphj41RK3utMT6FQr6qoVXYaEM+5g43AUG0xuU+cNmdd2G19knDMtXCLxidLU5xp/86MMuEzJZKF6rHpVuMvbUYIhWxWlBzoo/HlzpyQc4W1117EAV7fpdTgo9/sEnml5Bz+gTG1iSljfF/S0dD97uSj5PGt3OTQpTWEa9TrYtMUHCJ9zUwQ5im74YPk+yT3pku3CHfIbUBwO4fTmTPwO/ZHSLFigdXV79nZ+EhO2hlSYvhoJOG6G43Yg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=or5eKtfBEUkJxqM9q8/mdpwoddkvr4bGrfOxpsM+gvY=; b=KhXkCo2vadfJBbZhRU66XtOx3gjeqpQjYhnFxRukpWn/4i5maPrpd2kmCHHpdZiqpkyaiEE9fQ+QXKsLXBC8E81cMJjKi5k51KbTulInePmZc+rEZpA7ozvEBSZe9OnJgkKLaHNzZmoDCcedDE8V2ZG/j9AaeCiTAXhoToyj84qL232sR8hSH0DWPex2Kwd3KBptggqSJtkclthRwuC7jY43NGj7wtxafVt4xX9D015AQmJyYUZIUhwgOs2VPElEEUxC7XSKGi3qTELwX65PWJznyYeYJHKpCQKu1llxuVsTsLvkgrp/07eWTzYXrwIVy6CF42kxsXPQQyW0kanmZg==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by CYXPR14MB7569.namprd14.prod.outlook.com (2603:10b6:930:dc::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.32; Tue, 18 Jul 2023 16:35:40 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::2b9b:d369:e730:10b3]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::2b9b:d369:e730:10b3%4]) with mapi id 15.20.6588.031; Tue, 18 Jul 2023 16:35:40 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Carl Wallace <carl@redhoundsoftware.com>, Iyán Méndez Veiga <imendez@ethz.ch>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Current efforts in the direction of draft-truskovsky-lamps-pq-hybrid-x509?
Thread-Index: AQHZsNxDuVT0Ea78tUayHa/gLB9qO6+uk5AAgBDgEwCAADySgA==
Date: Tue, 18 Jul 2023 16:35:40 +0000
Message-ID: <SN7PR14MB649225671ADAC19CDE1373BC8338A@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <7857448.9X9Kdy9spX@thinkpad> <SN7PR14MB6492131663B6004B89B4E525832DA@SN7PR14MB6492.namprd14.prod.outlook.com> <9F3C6BB7-6F4C-4B69-B77A-A7BE14DBB5AC@redhoundsoftware.com>
In-Reply-To: <9F3C6BB7-6F4C-4B69-B77A-A7BE14DBB5AC@redhoundsoftware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|CYXPR14MB7569:EE_
x-ms-office365-filtering-correlation-id: 6251b8bf-f869-4355-940e-08db87ad0636
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ah/QufLO2FrF9s/y+bfyjBZOo7aF9Na/NoIGxgS8RXMI8lqNNyKw3eadBm91dLmzf4mbLSlOhdwYmx/N22E6W/W7E3rsfODSonRiLKEYJ88d+fNxO9ZbtC0qt5ExbU0+PDb7uQuIGqLmhHMqhJpbaRTHzQF5SmEU2tGCjn9fXg/CGrfB/3LwWqsbVO3cm0xzJUA4+7dZ/EP4PYMMelOWgB4zoooKQyf9vcQoyv6u8VqlEHhK6m0j4ewF9k4Ofv+lNBWixLOtOimbVBGGKtRDsXM+L3fx6fHc3iIH/FbAfqGNVX5uEnEljKsOaj7otapIjkkuB/OfIT5byqESisS1hRiYNdrmNbLAbGJfXp3zaddcRed8by1mEMYRieZstX7bAXS7L6IF6G+Zoi+96Z7uDA7RaOqxEusuai44wptBNm9jEUzy0bdJzfTookvptypjD6PzvS2Mkjnvhn407PJU/2nzaYNiQaPGNlxuEkIzKFj9/HAziy9fZkhiEO5JzBTHLVtfzms26HAVfm4iwnXqi9tLMWaugAxIK0ReXQzKHvVHrjITIAWF6VVAyj2MiNNpcTKqUexTeIMSY5W5sZLXEPBlbGy8IN4LbsF3ddhbggADvKghCjoOP5UUIv8m4hUo
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR14MB6492.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(396003)(346002)(136003)(39860400002)(376002)(366004)(451199021)(71200400001)(478600001)(7696005)(110136005)(64756008)(33656002)(83380400001)(86362001)(38070700005)(55016003)(2906002)(44832011)(186003)(53546011)(9686003)(6506007)(26005)(38100700002)(41300700001)(122000001)(66446008)(66476007)(76116006)(66556008)(8936002)(66946007)(8676002)(5660300002)(316002)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: kO1ejLjROF/alL+7ogcbTAtqGGZS5uGs1fRDa5jAwX3wVQDPmn/pFbBReJeqek8r/n3Mo7uO5yA5F082nCrYtwUMDLqOr0+PjPONR+VLMs5AN+1UDsbcibLAQpKD2ay1jlDifc1n87o940X3QwgokDto1yMd/78nsn7H7k3o9IeWKOST0VLkMfVz5isYLNNMokhykInlCNcXMlCAGN6JkbEX+ZJQSc46IdKxMOOzQY98REvD476aJpzK7tH6eVi7Zy7u/mCGTrrHf/4KIbgUZUswzCbePJUfGBxQ/M2X/GrZFy9908+Qgo9lrItoPNEY8xDj5e6uROJ3RfGcF7oyxBxqP/1AamKlN1rk/ijLYmT6o3Ov14UfAqY/GZGHUvaHCo0QGXawKTPTT4P4Aobs8uTu1oQXsIX5ZhJm81+X4KWPre+jUvQlGvci6m7KxNaSC11Wx3nd0nwM/xQE7RdHXH5TZwDuqBgrcaAHwHWPZTSeHW0xny3YqpJ9orzeBD9RnpafuDP/LH3ajJIU8Hi9m6N5pQk7sK0wg0396mqvzjwYIRk2H+hxj7l09cvOmb0gv5/EorS3Euf7MLPURo+OsnS8hPs8EQSwjr4TBDdNtzNXHezpg1SgUjuUxYiz9BIiFmUtubHUo3GOq5ap8zetYoYa1uLwfLzdO4ptItMjXJ4qjku/O4uTY9P5VZpzq+rnFqUfZdKdNhSI+orQIe278sbxQRyeMTT8BW0K18z7HeqKDWk/gQdhto97yTdwpsLST5W9wYwqg4jOX6QNtKVbmLelLe8pnZZIGVjh4lcHY8U5FkX41mwK1CCnu2xCPVMPlk5NyOiPS1xpTs/2WzCB64RBtEQnVge6LaKXBgrChR8pkZTZGgs2YEVOxAJLGUHIsJS6izI4G9D/Tf+EV91N1ZXmvNfYiL3s5XkMgvBFg8FIWyXSlPp6MW8pAvwVZo0HDG5BwPSqh+mPnk7Rl47hcB3batwtSw/2wL/iiXKRkkL9oyz9hTWZ88HO/hH0qbT51XYLIw3B8T/Jl99AGG52vTToxGg9jGvh7BQliN8gR8y2SmJgu/PqZ1JwDFQ3YheEFjF9uGi8IXrVo9FhDxGDKo0f8eQT8L8gOmKYiSYLos2Qhiqrysiv8CN4mHickuhFjETrBFHGZdZiZyhf4NnK3bOaVvDnpKm6DkM7fc6pl+oE/+u+5lS9baXmXYbqV3MPqAI/IEQHfLWmmovYDS+sSRQ7wWS7rAhYBF5Sdh4mPaTFbeb7nE5Nt7LR2u5z5eLotc1uxiKa+R4hrJVkfcjfNUjZyTI6tnnInWv9mpRT/txeUdtSPLjylZqS37K8B6JTQ8QKi8diy3hkmcX8WzgES+r964z5WNic8iRRfe9/GeRiTT5COD8PSJHcraO9ChrdYEgbxQum2U+xYnhpEIBWdr9bj313HDWNdV8965MyiqGDfoOlQuZMl3cn4aSXPpr3zcYNMDgAZpk5PGYejFMyCyTafLUs3lPIhkiGWHzOuxHo5DgY/wTS7GPrmub/XoAsdnbjzdGmwTd5bGhUfid/RiRr9iiO3q+FceoVUApOqyov9Z+Uh+DExXiZiJwEpaBTIEmIfOS6021gaIRffncjbQ==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6251b8bf-f869-4355-940e-08db87ad0636
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jul 2023 16:35:40.6325 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PZaNXDP0rGYnBKOBVw9Dst/kS3zQwujVCmvcL/c2TGRj+vy5O38QPYbF2MFQ1K+xWwhZmW4m2VytT5akHSrqbeFShIIj9CFdxtYCTl9r2cM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYXPR14MB7569
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/02eJzD2rDtSuizCAcBgxNu-TSyQ>
Subject: Re: [lamps] Current efforts in the direction of draft-truskovsky-lamps-pq-hybrid-x509?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2023 16:35:46 -0000

Yes, I was restricting my certificate management discussion to the customer
side, which is where the problems tend to be.  But your point is very valid,
and I'll try to keep that nuance in mind when explaining it in the future.

There is a bit of trickiness on the CA when issuing these, and that will need 
to be carefully analyzed and standardized.

It's interesting to think about, because the complications are not that different
from the ones we've already discussed in relation to the multicert drafts.  For
example, is it a good idea for a CA to issue a chameleon cert with an extension
that allows it to transform into a completely different certificate issued by
a completely different certification authority?  That's technically possible,
but perhaps has dangerous implications.  There are still lots of fun things to
think about in the Chameleon space.

And I like the dehydrated term 😊

-Tim

> -----Original Message-----
> From: Carl Wallace <carl@redhoundsoftware.com>
> Sent: Tuesday, July 18, 2023 7:26 AM
> To: Tim Hollebeek <tim.hollebeek@digicert.com>; Iyán Méndez Veiga
> <imendez@ethz.ch>; spasm@ietf.org
> Subject: Re: [lamps] Current efforts in the direction of draft-truskovsky-lamps-
> pq-hybrid-x509?
> 
> Inline...
> 
> On 7/7/23, 1:57 PM, "Spasm on behalf of Tim Hollebeek" <spasm-
> bounces@ietf.org <mailto:spasm-bounces@ietf.org> on behalf of
> tim.hollebeek=40digicert.com@dmarc.ietf.org
> <mailto:40digicert.com@dmarc.ietf.org>> wrote:
> 
> 
> <large snip>
> Using chameleon certs is a clever idea that allows a single certificate to be
> managed, but allows each component of the pair to be used individually.
> 
> [CW] There are still two certificates to manage (at least from the CA
> perspective), it's just that one of certs has been dehydrated (for lack of a
> better word) and placed inside of another one.
> 
>

v2.23.0 | Report a Bug | By Email