Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

Tomofumi Okubo <tomofumi.okubo@digicert.com> Tue, 31 January 2023 15:12 UTC

Return-Path: <tomofumi.okubo@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C136AC14F726 for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 07:12:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2KS86jTv6OV for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 07:12:06 -0800 (PST)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2122.outbound.protection.outlook.com [40.107.243.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8923C1522D9 for <spasm@ietf.org>; Tue, 31 Jan 2023 07:12:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n0myfr88v354Rpp1jvO6unPPWI4aG+N26v6WDdaMTcAPEgDa+52QjuJsTc2Hyer2U+PzXCE5V72Z2c0dRfDUSvNbrtp5pgWse7MCSOZk48+bm6pHzz8AQuvtRL/tJeodiMSCuW1ebcaYGOS63ZDFtZ1aWUIx+IWPpHwpyE7bMqaISfc2AHdRmCXiuP8s75CuIzlifqa0IzsN/PUPISs1rwCTiiAYaO2U6rQXiNJldLZk1Sq3eU/7wnLqxAPtJavLErugSEis3HMn0UxXq2pZC548CvqBEohncfiEpsmlarcn5GFufNShOJLGVsaoZMFp8VVN5qfEUpcoBnZMMMT7eg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ypk49iBPSe7TlEuWUUCghcOh2LrYo0vnEChTJ41VVKw=; b=MiuevJ/6cvkJ6WHeRfAvYOlwvGYkXFSXJkrVA6L/5A0iyUn8jFM4ixAU4pr1DM7qh+77X1eaLKwF19lZLH398tTNI4foOg543xyzRdX9iQjTaBSob8N2lUNCz5Nk6uCCHZ6nDCV5dFKQVMfX/PQGi/Spw8lqQmgVZ4dm+8ngq9ijWKFp526Yxlblgveah2yOnY34XnNmPPm3Ruzl89ZjLNCzpJbagbFuxRYYXXrA6w8E6fEps9Fw2Q19bb7fzdqCiMgSjY8mqr25Ez6TEe8OpI8q1beknSA0og+8uvLFMnWsR1oc0bBwYman02CFXR6nuFkVKayqdLg7LQNE8CYbBw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ypk49iBPSe7TlEuWUUCghcOh2LrYo0vnEChTJ41VVKw=; b=m6cHvd0iYvnnHK3zUdy3ZKBLdj+B8TkDhn0eY4v2ZybTXbJNq1vs7cn0hh8OqcVN1MIkXbF6facHQsMkRLXLDpuUA4dL0fJ/fO+B8TFEeKEjrgdF3PnQ3tynW7+NV6x+we1eC6lmLXLezNqB2IZe2qWq59OLS3TBGvsMAxmRp21WAhJh4TnsE11mjYBAQervGqfHwIxL0a4ER9+TV8v3V/Ikfdu+Ilff6Zwf4NYu27c15ZgWN/wJKn/ijJSY4cmnPe++4ROGX40U8RjRw3q2AnQpBB3URYCBTDfpCW26rl3DYW/8Lsk7FWRVFs3sdpnYv1WSVmtfPjmbsBPB6sezrA==
Received: from CY8PR14MB6123.namprd14.prod.outlook.com (2603:10b6:930:54::12) by CY8PR14MB6827.namprd14.prod.outlook.com (2603:10b6:930:7c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.36; Tue, 31 Jan 2023 15:12:02 +0000
Received: from CY8PR14MB6123.namprd14.prod.outlook.com ([fe80::9ef4:991d:28e6:2513]) by CY8PR14MB6123.namprd14.prod.outlook.com ([fe80::9ef4:991d:28e6:2513%9]) with mapi id 15.20.6043.036; Tue, 31 Jan 2023 15:12:02 +0000
From: Tomofumi Okubo <tomofumi.okubo@digicert.com>
To: Seo Suchan <tjtncks@gmail.com>, Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02
Thread-Index: AQHZIVm80WFCm85tDkuWQKD+XWRz3663c6mAgAFSQsc=
Date: Tue, 31 Jan 2023 15:12:02 +0000
Message-ID: <CY8PR14MB612306E16FBC70206E3D0A90EAD09@CY8PR14MB6123.namprd14.prod.outlook.com>
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com> <6FB4E76C-0AFD-4D00-B0FC-63F244510530@vigilsec.com> <85c60b8b-72e2-5342-7ccb-d69b84d5444f@gmail.com>
In-Reply-To: <85c60b8b-72e2-5342-7ccb-d69b84d5444f@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CY8PR14MB6123:EE_|CY8PR14MB6827:EE_
x-ms-office365-filtering-correlation-id: b92af6c8-f30e-4f8a-b21f-08db039d81ac
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y8vZR8AzUB4UY+HVe92TzvUG8vf4Os11EK5TqCqYeJAWUo8ifr50VZcacD7vo3dDHtNu8vXf7oz83fBjydzFGdgpd6iMxU365YKrKrA6xyby3VJJ40j1fZh+TA6iFO7xbxbpiXone61eFdNMW70IFMW17/E/RjkHQ4y4yOh/fv8uNTKUHNhoN0U0qEuiO/eLyVR11pdmOa5oYzJSzeorYkHshRC4KloJfHZJiCaq5MP0oYfgSkhlf1UBkCBxRrl8Zbg0FuWJ65XQ3HOAHluoIfJOxD9DkaUCV+O7i1MFlTNZXvIT9gNv1FHJUWFJIuhSwyjRwumWENu+dHsn965+IeSJrcnoub91C5Bb/SsG/JLWImwi/9BHOyzyIgkkTPoS3AaudDtc/Lx6v3VZlrpwhWlPncVMlb7wGTm/paIjg0lzpg7Y7RvkrOfYx9p7bgMb9h9cibTWwJSmL4cCqQAu1P+J1lGZ8dZ/1fhA4PHIKuSTg7dzjLasLZtLyWk8ap2bgenN6n/kT3h2ucoH0L/Mf01K6a/COaaxbkcQNxQGfayka4SFUgxQ072ebyPIyT/8t4mXrhgIEpayGtIhwoT6s6xzlOwt239hP3oEcNHH60wtP8wbv2YQhi/RfgPmDr2m0SHdNOKSGXDUzQmJwhzricMUts733XaEziOyMRV0daA8C8i9eL43lUvKoP6b4d8U4MQQZsUVlqW7CaKBEI8DlFcVy9tmFHu7N/uykRcdDv0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY8PR14MB6123.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(396003)(39860400002)(136003)(366004)(346002)(376002)(451199018)(2906002)(26005)(186003)(38100700002)(316002)(478600001)(166002)(55016003)(86362001)(33656002)(110136005)(122000001)(38070700005)(9686003)(66946007)(66446008)(76116006)(66556008)(8936002)(64756008)(91956017)(66476007)(8676002)(7696005)(66574015)(71200400001)(6506007)(966005)(53546011)(52536014)(5660300002)(44832011)(41300700001)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JA/pzT4+E3Xa7DBIPP3l3xzUgpQPzqb3SUqa4lOrHMdbACd9KIFaE23fukDtHzM5unSDlofnDTbe78DROPTnMqNBQRQQxRnUvUrjOY3g/aZ9uTUpv3N5FMqyv44xYV7xwEuzANyXe9hXsv8nl50LqnGaQwazYQdyv/NjeEKJcl/M39+eAPZ9uqj21qOGvhSYn1R4fl5Ll7RpWWYd2lqBwujBvAgmomewTMT62B1iYn2PoI6yKw92yd9bHxZCyiDAuvhtcWmwQdrakEfwAI51pUk7ZVcRh5PTi0xZ9mnHovsjefv1wAtWNG4ngi/S9dax2rIL21FvevyYoa9kPlhqtU2Idh+yz9dp/gyxL4qN0yLqU+sqprcl6upVTc1NIjU3a1zIN+JW5aW0JufwAsw65eZ6TibnkXdmqXneoGADcAQiuTlujXbkKsi9FZJtnKZY3O/DFDVY3ERTw8YvItghZ71qfsvMaxoQANZoa5FxMhUAwedUkyMbe6nja5bTJPlZ+T8Hs5ko0KY+4C+dDDeS24jRL5q0r3fh6KXUyxs4m02PNpq/JOCZY4prtg2Ez5/Do0HRjKgBKNIxSB73OgjmrlziAxZWS+mXDKofE0Pg/FUFf9j3ORrnrnOKa60N5p3cJfdocGkyn2GS4pE9oFGJIO+EMWBcAWN6+fyz3ughSZBPqd5a2vSwBiUGQ3myrLxRTqR5khXnWlCEd1yAlg9Ve/L4+2Td9PMJGMmAXCw2zpkoa5mJd9zrxzy9VizU7MJVkcoDp1O8JEWmlOuR7/w//ZYNojD27jnjnMx2Y9LuUVmUIFVKGQhF0VkEM2tzstW2xk3S75J0LHuh8wxcREIHfLjB5cfbJZLYrxuIPWJwVPXUb2kbeGRs6z0q+fXdkOXiy+WZj+OrJlfXpeMlSLx8E5FIbQ+fp+tWalCKhe3f+CuwDUh69yvaad+va/bOK73YOHm/kB+lIeMOMwAXLPLEUngeIydcaFzxXqiqheuwBPlPEUZwSykN4AWvsY3lwxKUQKgF5MD45Mt3mdVjxWhVHzUI5xTA3OMvJNUII26Fa1AfEgloqwPf5hdK1FbW37mhgzC8+rbPGAjQQ95YK/3vy6SIJlWaGJ7EJj9sYs6dcQR+49pbuyqByb1IXlg9Nf8BMd0QqFdpVfc7ku1J/v8PSFyovOO4j48wAovKFC5wN9s05ckXW+pj/+GY9fuFtzUgt9yW6iRVvfuV4KIB+Pcm9CcSDYRIuiFSzYpCqsjPcklv2f5Sdqdv4XVhWnToVttqyLyF6gchKlTcP2tHSayfLHGa6CxMs5XKYG0D/f073RdWR/3YKKkXqRxTPAneMk3qY5tZ2OnPQyIg40XhEeILPaMPdtbMx1ap1kwOkFy2MBT7KgZ+Raal4VlTa3/nTTJGVcZkYJoHcCOw/SDC6F2Iv3j4yobSIJ+VIwTQxqAQowyOCYpYm6BUuvgHG+Mn660srZClQGAuWDtyvPPoK5SHSl1KImoUZt0QXEh7MxVsKkkaxVFY3llF5tcN2duVJQsB/MEnylq0CmUgjaTJsds9WJHgCR30z5SK1dYxzQWjRu7Nti66D4O0nctIIjhz/NguCcjzzdGgVWhWcMB4jalZErct9V8QPcvrVCpOTFv18qM=
Content-Type: multipart/alternative; boundary="_000_CY8PR14MB612306E16FBC70206E3D0A90EAD09CY8PR14MB6123namp_"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY8PR14MB6123.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b92af6c8-f30e-4f8a-b21f-08db039d81ac
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jan 2023 15:12:02.3229 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Omff3vfj1ssgHM3jDd/lDRn1eERWOlXb4sRXsXKFfrs8PWsJf9Q2w7S8FA3BnRkru5j1LpeGsWwhxugP8J4SnpwYNyl9hXMuitRdRnFMTus=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR14MB6827
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/4RZYun3VRvMHs3T393tg2irmcuU>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 15:12:09 -0000

This mechanism will facilitate the transition to PQC.
The precondition/hope is that it's still safe to use traditional algorithms while the transition happens.

If that is not the case, we have bigger issues at hand.

The idea is that the parallel usage of traditional and PQC algorithm combination ceases at some point. What is important here, is that we have a mechanism to support the transition.

Hope this helps.

Cheers,
Tomofumi


________________________________
From: Spasm <spasm-bounces@ietf.org> on behalf of Seo Suchan <tjtncks@gmail.com>
Sent: Tuesday, January 31, 2023, 3:46 AM
To: Russ Housley <housley@vigilsec.com>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

Not sure how it can used safely with backward compatible : If I want
this to be backward compatible this would be extension on classical cert
that points PQ certificate: but if one is in position to break the
protocol why would one can trust this extension will point anything
reasonable? for example attacker can point another RSA certificate they
forged, or just strip this extension.

2023-01-06 오전 8:01에 Russ Housley 이(가) 쓴 글:
> Do the changes that were made in -02 of the Internet-Draft resolve the concerns that were previously raised?
>
> On behalf of the LAMPS WG Chairs,
> Russ
>
>
>> On Sep 15, 2022, at 11:44 AM, Russ Housley <housley@vigilsec.com> wrote:
>>
>> There has been some discussion of https://datatracker.ietf.org/doc/draft-becker-guthrie-cert-binding-for-multi-auth/.  During the discussion at IETF 114, we agree to have a call for adoption of this document.
>>
>> Should the LAMPS WG adopt “Related Certificates for Use in Multiple Authentications within a Protocol” indraft-becker-guthrie-cert-binding-for-multi-auth-01?
>>
>> Please reply to this message by Friday, 30 September 2022 to voice your support or opposition to adoption.
>>
>> On behalf of the LAMPS WG Chairs,
>> Russ
>>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm