Re: [lamps] PQ-composite OR or K-of-N logic
"Kampanakis, Panos" <kpanos@amazon.com> Wed, 27 April 2022 14:13 UTC
Return-Path: <prvs=109a7e904=kpanos@amazon.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4723EC26E2AA for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 07:13:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.172
X-Spam-Level:
X-Spam-Status: No, score=-10.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.575, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7seaJy36J52k for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 07:13:49 -0700 (PDT)
Received: from smtp-fw-9102.amazon.com (smtp-fw-9102.amazon.com [207.171.184.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4121CC1594B3 for <spasm@ietf.org>; Wed, 27 Apr 2022 07:13:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1651068829; x=1682604829; h=from:to:cc:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=QGG+64JCIaSEqiX6G+uyysQKp9MihTym5FdrYOMvHMw=; b=Y+43iP9L4LPErchSCuZDzfeqIh5gsCaJHasI8VJ1M56ClLXNUqG8Hsvv ZHedhLiaGpwltmBZYW41zbpIMLswRqlGNlgUwoeXqXO0nj+DY0fDhPbfA iBMpVR2QPEmHb/QegnPC70kEESfuA4ktykax5znX8K9DP6Zs5S6wWocvH w=;
X-IronPort-AV: E=Sophos;i="5.90,293,1643673600"; d="scan'208";a="214384045"
Thread-Topic: [lamps] PQ-composite OR or K-of-N logic
Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO email-inbound-relay-pdx-2b-1f9d5b26.us-west-2.amazon.com) ([10.25.36.214]) by smtp-border-fw-9102.sea19.amazon.com with ESMTP; 27 Apr 2022 14:13:28 +0000
Received: from EX13MTAUWB001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com [10.236.137.198]) by email-inbound-relay-pdx-2b-1f9d5b26.us-west-2.amazon.com (Postfix) with ESMTPS id 75D1041756; Wed, 27 Apr 2022 14:13:28 +0000 (UTC)
Received: from EX13D01ANC001.ant.amazon.com (10.43.157.154) by EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Wed, 27 Apr 2022 14:13:27 +0000
Received: from EX13D01ANC003.ant.amazon.com (10.43.157.68) by EX13D01ANC001.ant.amazon.com (10.43.157.154) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Wed, 27 Apr 2022 14:13:21 +0000
Received: from EX13D01ANC003.ant.amazon.com ([10.43.157.68]) by EX13D01ANC003.ant.amazon.com ([10.43.157.68]) with mapi id 15.00.1497.033; Wed, 27 Apr 2022 14:13:21 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: Russ Housley <housley@vigilsec.com>, "\"Klaußner, Jan\"" <Jan.Klaussner@d-trust.net>
CC: LAMPS <spasm@ietf.org>
Thread-Index: AdhV9Rf0dKtEp6K7TUGSt7lMX+2VvwBPrrkAALeIHIAACrd0AAAAHXYA
Date: Wed, 27 Apr 2022 14:13:21 +0000
Message-ID: <6cff3100963349cb8399bbe853e2186f@EX13D01ANC003.ant.amazon.com>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <1312273.1650733310@dooku> <ca18a6bf6cb74756ac942fb514c82d78@d-trust.net> <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com>
In-Reply-To: <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.156.57]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/5GavL8nDG5_tGQ8YkHt_M4c2wD4>
Subject: Re: [lamps] PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2022 14:13:52 -0000
+1 to Russ' point about RFC4998. And to reiterate: > There would be an immediate need to reconfigure or update verifier/signing software not to use this algorithm anymore, but there is some more time to replace the algorithm in the PKI. > The k-of-n mode here is providing this agility and also the increased security of the AND mode, simply put. That does not need the signer to define the k-of-n logic. The signer will just create n signatures and put them in a composite one. The verifier will verify k-of-n and pass verification. No need for upgrades. And no need for the AND, OR, K-OF-N logic to be added in the composite signature or public key to complicate things. -----Original Message----- From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley Sent: Wednesday, April 27, 2022 9:44 AM To: "Klaußner, Jan" <Jan.Klaussner@d-trust.net> Cc: LAMPS <spasm@ietf.org> Subject: RE: [EXTERNAL][lamps] PQ-composite OR or K-of-N logic CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Jan: A notary is often used when a signature needs to be verifiable for many decades. RFC 4998 specifies the Evidence Record Syntax (ERS), which can be used to apply additional signatures by a notary. Russ > On Apr 27, 2022, at 4:36 AM, Klaußner, Jan <Jan.Klaussner@d-trust.net> wrote: > > Hi all, > > First I completely agree with Michaels view on verification policies. > Especially in open PKIs that are not under control of one company > there is a need to signal how verification should be done. > > On the question about use cases beside the PQ transition: We believe > there is a high probability that new algorithms are successfully > attacked during the next decades. > > Therefore we want establish some agility in an PKI to more easily > switch algorithms without an immediate PKI rollover. In our case we > are also talking about use cases for document signing or long term > encryption, where digital signatures need to be valid for longer > periods, sometimes up to 50 years. > > So in case one algorithm is broken, the documents still remain secure/valid. > There would be an immediate need to reconfigure or update > verifier/signing software not to use this algorithm anymore, but there > is some more time to replace the algorithm in the PKI. > Once again, this is even more important in an open PKI. > > The k-of-n mode here is providing this agility and also the increased > security of the AND mode, simply put. > > I hope our point is now more clear to the group > > Br > Jan >> -----Ursprüngliche Nachricht----- >> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Michael Richardson >> Gesendet: Samstag, 23. April 2022 19:02 >> An: LAMPS <spasm@ietf.org> >> Betreff: Re: [lamps] PQ-composite OR or K-of-N logic >> >> >> I read through the list and the slides. I couldn't be at the meeting >> on Wednesday as I was travelling. >> >> The document starts off with: >> "Even after the migration period, it may be advantageous for an >> entity's cryptographic identity to be composed of multiple >> public-key > algorithms." >> >> Panos and a few others have complained that the document attempts to >> have signers tell verifiers what to do, and this should really a >> verifier > policy. >> Well, that would make a lot of sense for a CMS signature on your >> Mortgage, or your MUA verifying my email. >> >> But, signers REGULARLY tell verifiers what they've done and how to >> verify things, and that's in the context of Certificates. We have >> all these > policy >> OIDs, and CSPs, and Path Constraints, and ... These are all signals >> from > the >> signer to the verifier. The verifier can, of course, have a policy >> that > says that >> they ignore CSPs or Path Constraints, or... >> >> I guess that the k-of-n part was in the slides only, as it's not in >> the > document >> that I could see. >> >> I go back to the text I quoted above, and thinking about k-of-n. >> I'm thinking that if there are more uses for the Composite-Or and >> Composite-AND structures than *just* PQ transition, that the ROI on >> implementing them may be much higher. And thus the likelyhood that >> we'll discovery and fix bugs relating to the new constructs is much higher. >> >> I think that we can agree that the last thing we want is a widespread >> bug > in >> validation, at the point where we find it critical to transition. >> >> ps: I giggled when I read ~~~ BEGIN EDNOTE 10~~~ >> >> >> >> >> >> -- >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works >> -= IPv6 IoT consulting =- >> >> > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Serge Mister
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Serge Mister
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Michael Richardson
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Santosh Chokhani
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Carl Wallace
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Santosh Chokhani
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Jenkins
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Tadahiko Ito
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley