IETF Logo Mail Archive

[lamps] Re: WG Last Call: draft-ietf-lamps-pq-composite-sigs-08 (Ends 2025-10-06)

Falko Strenzke <falko.strenzke@mtg.de> Fri, 26 September 2025 06:06 UTC

Return-Path: <falko.strenzke@mtg.de>
X-Original-To: spasm@mail2.ietf.org
Delivered-To: spasm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 205026928484; Thu, 25 Sep 2025 23:06:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFh-QSAIojcI; Thu, 25 Sep 2025 23:06:40 -0700 (PDT)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2420D692847A; Thu, 25 Sep 2025 23:06:38 -0700 (PDT)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.1/8.18.1) with ESMTPS id 58Q66VQZ018020 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Fri, 26 Sep 2025 08:06:31 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1758866791; bh=rf+qTZFyoDqJtmEJNs0NXdmR2yRL8BA9rNohq5qodW4=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=Nlal+Bqd54HsJ8XGTZGsraGajuNTGTkIRE3r1n9JvBnonnD5HdAFjrEiJt8TSisqX InxREkiE6GQ9zoaxMofVXnFgls7B32ujKjOghVuCjf7WaaKF6vsEWY64kHPalVUTIj VtSg9Ug5ovYtDruzleewI4xGjk8o0P5WbMolWkjgZWqhd9p6XXZRioh2A397hAVYLp iRttpuf2LiutX/Wdr7C8tCo/6BchtpZavVJYZiAkrXlmk5TaLwfmF0k2uEg8uDwvC0 9AGAM0WzwquUfngicd2vb5DOegDNhoxDpIHvhQvkpaz1YDYtlx76dO0hoyUGSJONjS WPwwiNuxh212w==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.18.1/8.18.1) with ESMTPS id 58Q66Uej017328 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Fri, 26 Sep 2025 08:06:30 +0200
Message-ID: <25570d81-bbbb-4511-a9b1-490f091a8d80@mtg.de>
Date: Fri, 26 Sep 2025 08:06:29 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Russ Housley <housley@vigilsec.com>
References: <175855620751.648048.16646357165291761730@dt-datatracker-6c6cdf7f94-h6rnn> <88B43AFC-A176-4125-93D0-2A724D6603C4@vigilsec.com> <LO2P123MB70512155059C90E0339F1190BC1CA@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <CAKZgXHoGHc8Cjr1kFC9E4dTu1Lyfc0m0nNeHEb3Vn5kaH61E7w@mail.gmail.com> <27d6772f-f48d-4f90-b0bc-cfa5216ba367@mtg.de> <C6DC1CC5-6297-429B-83E8-965F1A54B6E0@vigilsec.com>
Content-Language: en-GB
From: Falko Strenzke <falko.strenzke@mtg.de>
Organization: MTG AG
In-Reply-To: <C6DC1CC5-6297-429B-83E8-965F1A54B6E0@vigilsec.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms020700040303030506070905"
Message-ID-Hash: PPWOPFCHX3H5IKRRHYAJPIFU3PINLMBT
X-Message-ID-Hash: PPWOPFCHX3H5IKRRHYAJPIFU3PINLMBT
X-MailFrom: falko.strenzke@mtg.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "spasm@ietf.org" <spasm@ietf.org>, "draft-ietf-lamps-pq-composite-sigs@ietf.org" <draft-ietf-lamps-pq-composite-sigs@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] Re: WG Last Call: draft-ietf-lamps-pq-composite-sigs-08 (Ends 2025-10-06)
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/1eP1lPYjqDduIRCMyn1zTVH88gw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

Hi Russ,

Am 24.09.25 um 17:21 schrieb Russ Housley:
> Falko:
>
>> ## Strong Non-Separability for X.509 and CMS
>>
>> I claim that Strong Non-Separability (SNS) is naturally fulfilled for 
>> X.509 certificates and CRLs by a straightforward parallel combiner. 
>> This is due to the fact that both these data structures contain the 
>> signature algorithm identifier within the signed data. RFC 5280 
>> requires these signature algorithm identifiers within  the signed 
>> data to be equal to their copy outside the signed data [1]. This 
>> means that a stripping attack is naturally prevented since removing 
>> one signature requires changing the signed algorithm identifier and 
>> thus invalidates the remaining signature.
>>
>> It should be noted that the chosen construction in the draft thus, 
>> for the case of X.509 when component keys are reused as standalone 
>> keys, unnecessarily weakens the security features since an attacker 
>> can, through a stripping attack, produce new validly signed 
>> artifacts, namely by rendering the signed data as M'. This amounts to 
>> a violation of EUF-CMA under consideration of cross-algorithm attacks 
>> (composite and component algorithm). Whereas the straightforward 
>> parallel combiner doesn't allow this or any other kind of stripping 
>> attack.
>>
>> For CMS the case is different, as there is no mechanism that 
>> naturally prevents stripping attacks. Here it would be possible to 
>> achieve SNS by specifying a new Signed Attribute that contains the 
>> signature algorithm identifier and is made a mandatory Signed 
>> Attribute in a protocol.
>
> The attribute defined in Section 5 of RFC 2634 binds the certificate 
> of the signer into CMS signature.  It is not a mandatory attribute, 
> but when it is used, it should provide the protection that you seek. 
>  Of course, a simpler attribute could be defined in the future.

Thanks for the pointer. This attribute would solve the problem indeed. 
(I want to remind us all that we are talking about theoretical things 
here, since the proposed signature combiner breaks the properties that 
could be achieved with this approach.)

Falko

>
> Russ
>
>
> _______________________________________________
> Spasm mailing list --spasm@ietf.org
> To unsubscribe send an email tospasm-leave@ietf.org
-- 

*MTG AG*
Dr. Falko Strenzke

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>

------------------------------------------------------------------------

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>

v2.37.1 | Report a Bug | By Email | System Status