IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: FYI: New Version Notification for draft-housley-lamps-cms-sphincs-plus-00.txt

Russ Housley <housley@vigilsec.com> Tue, 06 September 2022 15:08 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88811C1526E1 for <spasm@ietfa.amsl.com>; Tue, 6 Sep 2022 08:08:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.806
X-Spam-Level:
X-Spam-Status: No, score=-1.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KX4BOvi21gQh for <spasm@ietfa.amsl.com>; Tue, 6 Sep 2022 08:08:37 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6D8EC147924 for <spasm@ietf.org>; Tue, 6 Sep 2022 08:07:29 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id C82511A7C6C; Tue, 6 Sep 2022 11:07:28 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 771B61A7E29; Tue, 6 Sep 2022 11:07:28 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <0E8E6E3E-5DF5-4900-9AF2-649C0D39DA4C@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F0BDAFC5-CB2C-4EE4-9175-A20D05C8DCF9"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Tue, 06 Sep 2022 11:07:27 -0400
In-Reply-To: <CH0PR11MB573904763796ED02FAFBD6429F7E9@CH0PR11MB5739.namprd11.prod.outlook.com>
Cc: LAMPS <spasm@ietf.org>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
References: <166093755880.14050.354126874269583313@ietfa.amsl.com> <5B780BF2-A5AE-4B6E-AC19-E8BBDB60EB5C@vigilsec.com> <CH0PR11MB5739956DEAB4C7E4FB14A25B9F6C9@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB573981EFAE5F1E79FAE11F109F6C9@CH0PR11MB5739.namprd11.prod.outlook.com> <43AE9BB6-E1C9-4837-8957-A5E6CD9B3C51@vigilsec.com> <CH0PR11MB573904763796ED02FAFBD6429F7E9@CH0PR11MB5739.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.09 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/4s30aJS8euv-4utoHjoStRcdUu4>
Subject: Re: [lamps] [EXTERNAL] Re: FYI: New Version Notification for draft-housley-lamps-cms-sphincs-plus-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2022 15:08:39 -0000

Mike:

It will be much easier to generate an example once the object identifiers are assigned.  I could use placeholder values, but I would rather avoid anyone using them.

Russ


> On Sep 6, 2022, at 10:43 AM, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:
> 
> Awesome.
>  
> My remaining question is whether you are planning to include samples as an appendix?
>  
> ---
> Mike Ounsworth
>  
> From: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> 
> Sent: September 3, 2022 3:39 PM
> To: Mike Ounsworth <Mike.Ounsworth@entrust.com <mailto:Mike.Ounsworth@entrust.com>>
> Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>
> Subject: [EXTERNAL] Re: [lamps] FYI: New Version Notification for draft-housley-lamps-cms-sphincs-plus-00.txt
>  
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
> Hi Mike.
>  
> I just posted -01 to address your comments.  Thanks for the careful review.
>  
> Russ
>  
>  
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> on behalf of Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org <mailto:Mike.Ounsworth=40entrust.com@dmarc.ietf.org>>
> Sent: Friday, August 19, 2022 4:35:23 PM
> To: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>; LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>
> Subject: Re: [lamps] [EXTERNAL] FYI: New Version Notification for draft-housley-lamps-cms-sphincs-plus-00.txt
>  
> I support this document. Here is my review:
> 
> 
> 1.
> Section 2: " The corresponding FIPS public keys are the leaves in k binary trees." Is that a typo? What does the Federal Information Processing Standards have to do with these leaf nodes?
> 
> 2.
> The "WOTS+" acronym should probably be expanded.
> 
> 3.
> The paragraph starting "A SPHINCS+ signature consists of..." is likely rather confusing to someone not already an expert in this. Perhaps some ascii art depicting both the subtree relationships, as well as showing which nodes are involved in a given signature would be illustrative?
> 
> 
> 4.
> The intro paragraph of section 3 says "The AlgorithmIdentifier for an SPHINCS+ public key uses *the* id-alg-sphincs-plus object identifier" ... emphasis on "*THE* id-alg-sphincs-plus OID", implying there's a single one, but in the ASN.1 definitions you have:
> 
>    IDENTIFIER id-alg-sphincs-plus-128
>    IDENTIFIER id-alg-sphincs-plus-192
>    IDENTIFIER id-alg-sphincs-plus-256
> 
> I assume the opening paragraph should read "... uses one of the id-alg-sphincs-plus-* object identifiers"?
> 
> 
> 5.
> I see the asn.1 module has the above OIDs as TBDs; I assume they will eventually cross-reference NIST-assigned OIDs?
> 
> Can I request you stick in temporary OIDs for now for interoperable prototyping?
> 
> 
> 6.
> 
>   "The SPHINCS+ public key value is an OCTET STRING.  (Should we say something more here about the size?)"
> 
> I vote "No", but you should include an appendix with a PEM-encoded pub key, priv key, and signature over the string "The quick brown fox jumps over... you know what" (nod to OQS [footnote1]) for each security level; size can be inferred from the sample data.
> 
> 7.
> Section 4:
> 
>   "   IF (signed attributes are absent)
>       THEN SPHINCS+_Sign(content)
>       ELSE message-digest attribute = Hash(content);
>            SPHINCS+_Sign(DER(SignedAttributes)) "
> 
> Naïve question: is this business of what string you're actually signing not already covered by the CMS spec? Seems a bit odd to have protocol logic in an algorithm spec.
> 
> 
> 8.
> Section 5:
> 
>   " Along with the private key, the implementation MUST keep track of which leaf nodes in the tree have been used.  Loss of integrity of this tracking data can cause a one-time key to be used more than once.  As a result, when a private key and the tracking data are stored on non-volatile media ..."
> 
> 
> Uhh, that seems copy/pasted from a stateful HBS draft, isn't the whole point of SPHICS+ that that not be the case?
> 
> 
> 9.
> Section 5:
> 
>    "A SPHINCS+ tree MUST NOT be used for more than 2^64 signing operations."
> 
> This sentence probably needs expanding; horizontally-scaled instances using copies of the same keys, or backup-and-restore scenarios are gonna make it super annoying to track how many signatures a given key has performed. Needing a centralized usage counter pretty much kills scalability; and requires disaster recovery sites to have unique keys from the primary site.
> 
> Granted, 2^64 is _a lot_, and if you're building a system that's gonna have anywhere near that amount of throughput, then you probably have bigger scalability issues to solve first. Most people will never be anywhere close to 2^64 signatures and are safe to completely ignore this security consideration.
> 
> 
> 
> [Footnote1]: https://urldefense.com/v3/__https://github.com/open-quantum-safe/oqs-provider/blob/b159e4fe659e2d9e57a30435f9d8f5ab11533597/test/oqs_test_signatures.c*L41__;Iw!!FJ-Y8qCqXTj2!fNFjxVSsqGkSgYlxqE25xP6M8hjJgUwUyz3f1c3lFmbxt-CsTRZu5keK-Oqpek1dsyh4hW_sqyYZfCo3eVFmYM3ICkCoTdHLn1Q1ookb1w$ <https://urldefense.com/v3/__https:/github.com/open-quantum-safe/oqs-provider/blob/b159e4fe659e2d9e57a30435f9d8f5ab11533597/test/oqs_test_signatures.c*L41__;Iw!!FJ-Y8qCqXTj2!fNFjxVSsqGkSgYlxqE25xP6M8hjJgUwUyz3f1c3lFmbxt-CsTRZu5keK-Oqpek1dsyh4hW_sqyYZfCo3eVFmYM3ICkCoTdHLn1Q1ookb1w$>  
> ---
> Mike Ounsworth
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
> Sent: August 19, 2022 2:35 PM
> To: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>
> Subject: [EXTERNAL] [lamps] FYI: New Version Notification for draft-housley-lamps-cms-sphincs-plus-00.txt
> 
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
> 
> ______________________________________________________________________
> 
> A new version of I-D, draft-housley-lamps-cms-sphincs-plus-00.txt
> has been successfully submitted by Russ Housley and posted to the IETF repository.
> 
> Name:           draft-housley-lamps-cms-sphincs-plus
> Revision:       00
> Title:          Use of the SPHINCS+ Signature Algorithm in the Cryptographic Message Syntax (CMS)
> Document date:  2022-08-19
> Group:          Individual Submission
> Pages:          11
> URL:            https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-housley-lamps-cms-sphincs-plus-00.txt__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAJ84GYsN$ <https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-housley-lamps-cms-sphincs-plus-00.txt__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAJ84GYsN$>
> Status:         https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-housley-lamps-cms-sphincs-plus/__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAAqcmAJ0$ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-housley-lamps-cms-sphincs-plus/__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAAqcmAJ0$>
> Html:           https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-housley-lamps-cms-sphincs-plus-00.html__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAGRbuc3g$ <https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-housley-lamps-cms-sphincs-plus-00.html__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAGRbuc3g$>
> Htmlized:       https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-housley-lamps-cms-sphincs-plus__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAHRh0nHN$ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-housley-lamps-cms-sphincs-plus__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAHRh0nHN$>
> 
> 
> Abstract:
>   SPHINCS+ is a stateless hash-based signature scheme.  This document
>   specifies the conventions for using the SPHINCS+ stateless hash-based
>   signature algorithm with the Cryptographic Message Syntax (CMS).  In
>   addition, the algorithm identifier and public key syntax are
>   provided.
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haACt-2oqH$ <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haACt-2oqH$>
> Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!fNFjxVSsqGkSgYlxqE25xP6M8hjJgUwUyz3f1c3lFmbxt-CsTRZu5keK-Oqpek1dsyh4hW_sqyYZfCo3eVFmYM3ICkCoTdHLn1SnKI0s3g$ <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!fNFjxVSsqGkSgYlxqE25xP6M8hjJgUwUyz3f1c3lFmbxt-CsTRZu5keK-Oqpek1dsyh4hW_sqyYZfCo3eVFmYM3ICkCoTdHLn1SnKI0s3g$> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!cc7YJMfMb2I4zYvR9FdhJBMhhzE-58A48nGP-mKW-T3gePOhHsyi2wpymzssZP_84b_gDiltt6EnNJGF3GD0QA$>_______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>

v2.36.0 | Report a Bug | By Email | System Status