IETF Logo Mail Archive

Re: [lamps] PQ-composite OR or K-of-N logic

"Kampanakis, Panos" <kpanos@amazon.com> Wed, 27 April 2022 14:13 UTC

Return-Path: <prvs=109a7e904=kpanos@amazon.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4723EC26E2AA for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 07:13:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.172
X-Spam-Level:
X-Spam-Status: No, score=-10.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.575, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7seaJy36J52k for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 07:13:49 -0700 (PDT)
Received: from smtp-fw-9102.amazon.com (smtp-fw-9102.amazon.com [207.171.184.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4121CC1594B3 for <spasm@ietf.org>; Wed, 27 Apr 2022 07:13:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1651068829; x=1682604829; h=from:to:cc:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=QGG+64JCIaSEqiX6G+uyysQKp9MihTym5FdrYOMvHMw=; b=Y+43iP9L4LPErchSCuZDzfeqIh5gsCaJHasI8VJ1M56ClLXNUqG8Hsvv ZHedhLiaGpwltmBZYW41zbpIMLswRqlGNlgUwoeXqXO0nj+DY0fDhPbfA iBMpVR2QPEmHb/QegnPC70kEESfuA4ktykax5znX8K9DP6Zs5S6wWocvH w=;
X-IronPort-AV: E=Sophos;i="5.90,293,1643673600"; d="scan'208";a="214384045"
Thread-Topic: [lamps] PQ-composite OR or K-of-N logic
Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO email-inbound-relay-pdx-2b-1f9d5b26.us-west-2.amazon.com) ([10.25.36.214]) by smtp-border-fw-9102.sea19.amazon.com with ESMTP; 27 Apr 2022 14:13:28 +0000
Received: from EX13MTAUWB001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com [10.236.137.198]) by email-inbound-relay-pdx-2b-1f9d5b26.us-west-2.amazon.com (Postfix) with ESMTPS id 75D1041756; Wed, 27 Apr 2022 14:13:28 +0000 (UTC)
Received: from EX13D01ANC001.ant.amazon.com (10.43.157.154) by EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Wed, 27 Apr 2022 14:13:27 +0000
Received: from EX13D01ANC003.ant.amazon.com (10.43.157.68) by EX13D01ANC001.ant.amazon.com (10.43.157.154) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Wed, 27 Apr 2022 14:13:21 +0000
Received: from EX13D01ANC003.ant.amazon.com ([10.43.157.68]) by EX13D01ANC003.ant.amazon.com ([10.43.157.68]) with mapi id 15.00.1497.033; Wed, 27 Apr 2022 14:13:21 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: Russ Housley <housley@vigilsec.com>, "\"Klaußner, Jan\"" <Jan.Klaussner@d-trust.net>
CC: LAMPS <spasm@ietf.org>
Thread-Index: AdhV9Rf0dKtEp6K7TUGSt7lMX+2VvwBPrrkAALeIHIAACrd0AAAAHXYA
Date: Wed, 27 Apr 2022 14:13:21 +0000
Message-ID: <6cff3100963349cb8399bbe853e2186f@EX13D01ANC003.ant.amazon.com>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <1312273.1650733310@dooku> <ca18a6bf6cb74756ac942fb514c82d78@d-trust.net> <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com>
In-Reply-To: <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.156.57]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/5GavL8nDG5_tGQ8YkHt_M4c2wD4>
Subject: Re: [lamps] PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2022 14:13:52 -0000

+1 to Russ' point about RFC4998. 

And to reiterate: 

> There would be an immediate need to reconfigure or update verifier/signing software not to use this algorithm anymore, but there is some more time to replace the algorithm in the PKI.
> The k-of-n mode here is providing this agility and also the increased security of the AND mode, simply put.

That does not need the signer to define the k-of-n logic. The signer will just create n signatures and put them in a composite one. The verifier will verify k-of-n and pass verification. No need for upgrades. And no need for the AND, OR, K-OF-N logic to be added in the composite signature or public key to complicate things. 



-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Wednesday, April 27, 2022 9:44 AM
To: "Klaußner, Jan" <Jan.Klaussner@d-trust.net>
Cc: LAMPS <spasm@ietf.org>
Subject: RE: [EXTERNAL][lamps] PQ-composite OR or K-of-N logic

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Jan:

A notary is often used when a signature needs to be verifiable for many decades. RFC 4998 specifies the Evidence Record Syntax (ERS), which can be used to apply additional signatures by a notary.

Russ

> On Apr 27, 2022, at 4:36 AM, Klaußner, Jan <Jan.Klaussner@d-trust.net> wrote:
>
> Hi all,
>
> First I completely agree with Michaels view on verification policies.
> Especially in open PKIs that are not under control of one company 
> there is a need to signal how verification should be done.
>
> On the question about use cases beside the PQ transition: We believe 
> there is a high probability that new algorithms are successfully 
> attacked during the next decades.
>
> Therefore we want establish some agility in an PKI to more easily 
> switch algorithms without an immediate PKI rollover. In our case we 
> are also talking about use cases for document signing or long term 
> encryption, where digital signatures need to be valid for longer 
> periods, sometimes up to 50 years.
>
> So in case one algorithm is broken, the documents still remain secure/valid.
> There would be an immediate need to reconfigure or update 
> verifier/signing software not to use this algorithm anymore, but there 
> is some more time to replace the algorithm in the PKI.
> Once again, this is even more important in an open PKI.
>
> The k-of-n mode here is providing this agility and also the increased 
> security of the AND mode, simply put.
>
> I hope our point is now more clear to the group
>
> Br
> Jan
>> -----Ursprüngliche Nachricht-----
>> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Michael Richardson
>> Gesendet: Samstag, 23. April 2022 19:02
>> An: LAMPS <spasm@ietf.org>
>> Betreff: Re: [lamps] PQ-composite OR or K-of-N logic
>>
>>
>> I read through the list and the slides.  I couldn't be at the meeting 
>> on Wednesday as I was travelling.
>>
>> The document starts off with:
>> "Even after the migration period, it may be advantageous for an 
>> entity's  cryptographic identity to be composed of multiple 
>> public-key
> algorithms."
>>
>> Panos and a few others have complained that the document attempts to 
>> have signers tell verifiers what to do, and this should really a 
>> verifier
> policy.
>> Well, that would make a lot of sense for a CMS signature on your 
>> Mortgage, or your MUA verifying my email.
>>
>> But, signers REGULARLY tell verifiers what they've done and how to 
>> verify things, and that's in the context of Certificates.  We have 
>> all these
> policy
>> OIDs, and CSPs, and Path Constraints, and ...  These are all signals 
>> from
> the
>> signer to the verifier.  The verifier can, of course, have a policy 
>> that
> says that
>> they ignore CSPs or Path Constraints, or...
>>
>> I guess that the k-of-n part was in the slides only, as it's not in 
>> the
> document
>> that I could see.
>>
>> I go back to the text I quoted above, and thinking about k-of-n.
>> I'm thinking that if there are more uses for the Composite-Or and 
>> Composite-AND structures than *just* PQ transition, that the ROI on 
>> implementing them may be much higher.  And thus the likelyhood that 
>> we'll discovery and fix bugs relating to the new constructs is much higher.
>>
>> I think that we can agree that the last thing we want is a widespread 
>> bug
> in
>> validation, at the point where we find it critical to transition.
>>
>> ps: I giggled when I read ~~~ BEGIN EDNOTE 10~~~
>>
>>
>>
>>
>>
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works 
>> -= IPv6 IoT consulting =-
>>
>>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email