IETF Logo Mail Archive

Re: [lamps] Can ML-DSA be used in CMS?

Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 14 February 2024 17:40 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8A09C151081; Wed, 14 Feb 2024 09:40:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3BZp8AuNPc5; Wed, 14 Feb 2024 09:40:18 -0800 (PST)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EEA6C14CE29; Wed, 14 Feb 2024 09:40:13 -0800 (PST)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 41EGWqiV021805; Wed, 14 Feb 2024 11:40:10 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=mail1; bh=pnJ+gAA2vpe6wDkp1yCwO9hr SwVOSDfSbRhgZmUhii8=; b=evswaDr5cVbxE4lgBbwcKqtVbWlWZ/yEhEn96BFY m3+nCWys0eN3aT5zd3WxmS1RrJXMGGCLNuJWyUdPYbQYO/CfRSXFl62bFyGdiXuU NeMIpG7wiG96NaKC0s5vnkDaqyfxwx8wbFzuhg5V6m1SON7OFK9/iU1bykuRJ9+m fHClLhoi9Vsjo6Cooh6BzqT0DRtby50+xg79YdL5vlVQw7Y0wOWGQ5wxymKOJv5j nQa36mthNBpVQMusBO5bhR+teKlNgAoGDdDCeIbxQG2CyDW6ExIvXiFY82Ysr7rC ZzLXU9PdtXtyXuwQsTYzv+vpD7nPbNNXihAw2x0D17aV6Q==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2169.outbound.protection.outlook.com [104.47.57.169]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3w8f2gayv9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Feb 2024 11:40:10 -0600 (CST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n99qCt/xnxVr2fGckyzwiOSsgGpPcg0h0/WZ9hdvBzjbjra8F47kNnll8Fhak77bi7GrEqjOblKVOc16A/djEgqhtIm05o8cF1KlL8SZ3bruoy5uTGbLPcqUMBwlq8nzFtJyNqH69Foul4YogZKocorg15m1lZihE2EQhZhrOZDkDBkcb2kUVm9TulZipbdbbzFooqI1P+1MJN7/WO+4IefdhswFM/HO6Xbn11jGGs75Tr5g0KyHMvf7bGnqXPhv5x3DZR5Y7LN/BuczkLj72wIGFDrAIm9hQXjHpMMrmJHX8RWfThgWq5egmxYgS5FNuLYzXLXbkl7PKeFmnkEt2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=l38xCdrpjfFo5XMMOGjnqrH2n6Unj9ZlvGe3Z2NSf+0=; b=ZbbO2tKt/LQJnH3/pR7FXBj4hP2KT1OJD9gyhaNYbnJl5sPIE1eA88K4TNi+IG9PKuDPAu1o4DlxgHTWGaozr216rBAUHLYeVuigv6Q372ZZ2nVUBjyEa4EyLErVI3t0aD/taycFqLhDMfd1xu2qPogwnN1ct3lerRj4xuSsWavWcXod8s8ZRBvcmwqp7yWIc80BdRxCDVzwKFtjhxo4rEM/g/ajPwU2CtZuOfbcOcci29v9LAdhIkJ6pCJNV1OwP6U0U2i2r+yytl0S3S1TQDnAIjNRF6YpGegYl1zp0gM3O82SNaWJuShlzzlpiV+3kLFrrhArTh090CQkPu5HaQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by SJ0PR11MB8295.namprd11.prod.outlook.com (2603:10b6:a03:479::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7292.25; Wed, 14 Feb 2024 17:40:04 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::d401:ba56:87f2:7eb8]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::d401:ba56:87f2:7eb8%6]) with mapi id 15.20.7292.026; Wed, 14 Feb 2024 17:40:04 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, "draft-ietf-lamps-dilithium-certificates@ietf.org" <draft-ietf-lamps-dilithium-certificates@ietf.org>
CC: 'LAMPS' <spasm@ietf.org>
Thread-Topic: [lamps] Can ML-DSA be used in CMS?
Thread-Index: AdpegWJS6kfqw04TR4e1AUBBNJk9wgAcFv+AAB61pqA=
Date: Wed, 14 Feb 2024 17:40:04 +0000
Message-ID: <CH0PR11MB5739AAA02D1F507FFF9B2E639F4E2@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CH0PR11MB5739AF8408E1669FB9EF912A9F4F2@CH0PR11MB5739.namprd11.prod.outlook.com> <48348cdba84f4d93b9a1f67838f74201@amazon.com>
In-Reply-To: <48348cdba84f4d93b9a1f67838f74201@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|SJ0PR11MB8295:EE_
x-ms-office365-filtering-correlation-id: 869c88d8-dc17-489b-b67d-08dc2d83fa96
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RBRJfCt/4aENzTGT2NbFzG2JJCXygDRd6MMPRDEpidqiXhKMl6sbE8q6Gt6bYyb9bG6ZZO+491/k3x5mLVcPuP1nehQSeTVGS3vv6fv2xMLRBx/+nNxMO3Y04nfy7rQTrkksWsFb9xOxtAICCpI8RqwNl3q+oJ6juZg8zZwXbmSPz8mRzpkINA3Sk8399FCAaCPC+1g8SUlCRIdGXErk6Mnd9DDq7dmaCL2lmiV1ObQRcFLVQoXhuU6Sm1uNvA/hMgfMioRFSqjY38CKp2dCzAONQizgs+lv3OHcNCCQPRx/tyFsyx36ajNDzf1wsEKzrGlYr3x8bWeHwHH1mJ/pjNah2H+INNRnEaQgZj9PrtlyVW1BX6nhorSFp4SgmRpGxmi4UbsHlK9o0OiVKsoYRTEOTkjOwW+FD0mKDHGoWxzN5NBSRZd67B3xM/JXIAfg1Fm4ORvByEuU3wK6FrTJrR2hOs9bFXvfyvQONccJ2c/JEnJ7PJQYVFErv+ze6P1M/B4ngnXTWdQsqOuzzbg5rTXGpGdyVXaJ+8Cz1bbAVAnFeqPW80BLpACRvRb9u9rgck/vYjI5SRRWzAhMnSbsCSkcVqIEwlM9r1LB/PwfrePJ0tGfsps9609pBwqXWZmh
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(346002)(136003)(376002)(366004)(39860400002)(230273577357003)(230922051799003)(451199024)(1800799012)(64100799003)(186009)(86362001)(33656002)(55016003)(66946007)(8676002)(5660300002)(66446008)(8936002)(66556008)(66476007)(76116006)(478600001)(9326002)(52536014)(4326008)(2906002)(9686003)(6506007)(7696005)(38100700002)(83380400001)(122000001)(99936003)(26005)(64756008)(110136005)(316002)(71200400001)(53546011)(41300700001)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: B/xsoAKkCKwJySBAhyII4izcirClTFuDauhcocnFCjSVA8qYrF8/LQcCs7L/Gv+PhQy/1RK4VZJdWfgriTTJKhvTXlOF07TRDjyOv82GQ/cihraLovsVInf/6R0EUKK8vmbPhTm3x6c0jAJTupc3Eq2AqNFd9zJNBpUOACjSv2RUJKYJKx6WOS+8lBanz0d1IJ6PvF0ctQWppnrQcg1RiHooIv2N7g+0gSN3LtVDZee0+SuZe1nEG5ZUSYSB5n+zRNXKJPYUeEm4A1seGgrRIY7xKleEeZCFCY7uL+hAaQ7kl0qAEYR9/17tiQTtTxOPQK8Ro7tpQZkjpPd4cJ1QzEnjskhh05UkGraXkKgicmzfyOaXHp09FB5+vyoi1lFMQBO7e4y7SIoZ9vDOSFBl7Ov2cTv07P57/tN4PloKcxMaELo0GjpDLc/emryeMivv6b6J+J0QfuZPAjxNUWlF/8JEO52La6IhP4hJkRLKTH27/CsTZjAyEg8i+AAsN2F3rJxVaMwbNb+RAivVhuR8r44kA5eNRTRbP6V+5U9OWdGJCbRl+l5G9Gh8N3tvmiit8Ia0xp5SMbEljRHnh+wSbfGE7j0q4Z8HDcemagwdFschDR+fuOkkSdPkMSNAYp+eZLoaoUBJI2eJYD2KsY+ggOtZfHoKEzKrDQcoxbrJDoN17VtDbRinZx61j+xNrh9s7LczALMMlZx5myEXfbYb/6dirVsXw+0PBngwJI9EIhKpJVlbZANnakJW6eerjo/fKXkm5AeY1ohN0KncC/WhFjlhxiisTNN3U6O4dP4xP8a+Rj7ABa+/gysf9iUkcwYcp1rRIyWCYJt56EiwUU/fLvsKA7EnvroqqF4rHdAnNYmfqDighyw7+AINelk7HAH0dxkBuPvLWBPAUAffqC2ZpiivlOFMZREaFJ7C9OGzSwq5XbuC1805FZYK396L5RHRaKVpwQFX1n8rWAsb77MlFQwoKBYfa1Bodk+TSLl4y+lQWq8Tgh/prUL2f9c9psY5hXCR9qj2l8zQz2r9kfdnuWFE98x+H3zbhbJMziD6tzqcMvG9cjdL3Bficc8lVPdUfQQeX8TRu5YWwzxcHplXXxe6MycRgSAOROMhx60ybl7okwDA1pjkn0x3lBJ4NhxdEnR816emHEw6mefW9B0LlTpRR4+O3cqv66w9WQkI1siWbNTNOA6WBfoR4Ulcuj+cCaBLljq8fLW3xfZLgEhzkAEkKl3L+c5VHTc+lI54GjsGBjiVs3nnrqZF6nFjEe5YN53929oOJzf6p0Pw44j656y8WKM6oFcVxS+uJruT8lUKZ+MTAYcec+/a0aXDPhPUp2Kcge7GKwfdg/PnVSc/56Fl+rfS1eqvEFbETXoOFFuRVHyzyI0sxyp1JEtcKeEi7dzZUvYeOY+HkK+VsbTn9g9nyWq0KtF2Bs2WQCw26GZ5K0iBPcyBtD9HH3/qh6D7XGNwRIm6qVKUTWCpC9/tTkD+w4YWX890U1zjza7M+ozLewy/LrmauHUDOqKnYaO55t2ItCc3u3sNrXRe8UfQwSsDsrjDjvG2U7Z8FwDqfxloASEOr6JQPcHk23jJxhcfk/PjoPtPZsILTgjotVPuaw==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_008D_01DA5F3A.8CAC3990"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 869c88d8-dc17-489b-b67d-08dc2d83fa96
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Feb 2024 17:40:04.7550 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lUjWwSUD2/zxswxRBbl8BWUXKAn4grSAU86Z3b17Z8A8ReEo29DMFlV8pB0SfMWepi0/PT+aBFrsLN01IOFltmoaR8yhXsYqhACepKppN+Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB8295
X-Proofpoint-ORIG-GUID: k1yA-XJSP4Alf_KidYFqLET5wLQYtKRI
X-Proofpoint-GUID: k1yA-XJSP4Alf_KidYFqLET5wLQYtKRI
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-14_10,2024-02-14_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 priorityscore=1501 suspectscore=0 mlxlogscore=900 adultscore=0 impostorscore=0 mlxscore=0 clxscore=1015 spamscore=0 phishscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2401310000 definitions=main-2402140138
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/6ULXxJ2Fu0p9aPDTDhGpLWSxcxg>
Subject: Re: [lamps] Can ML-DSA be used in CMS?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2024 17:40:22 -0000

Hi Panos,

 

Right. Ok. So then someone needs to start a “draft-xxxx-lamps-cms-dilithium” that parallels draft-ietf-lamps-cms-kyber

 

I can add that to my TODO list, unless someone else gets to it first.

 

---

Mike Ounsworth

 

From: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org> 
Sent: Tuesday, February 13, 2024 9:08 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; draft-ietf-lamps-dilithium-certificates@ietf.org
Cc: 'LAMPS' <spasm@ietf.org>
Subject: [EXTERNAL] RE: [lamps] Can ML-DSA be used in CMS?

 

Hi Mike, We could consider doing all ML-DSA in CMS and X. 509 in one draft, but personally I would rather we kept them separate like we did with SHAKEs in CMS (rfc8702) and X. 509 (rfc8692) or with EdDSA in CMS and X. 509. They are more straightforward 



Hi Mike,

 

We could consider doing all ML-DSA in CMS and X.509 in one draft, but personally I would rather we kept them separate like we did with SHAKEs in CMS (rfc8702) and X.509 (rfc8692) or with EdDSA in CMS and X.509. They are more straightforward for implementers that way. 

 

We could change that if there was WG consensus. 

 

Note that draft-ietf-lamps-cms-sphincs-plus mentions about SLH-DSA in CMS 

 

“When this AlgorithmIdentifier appears in the SubjectPublicKeyInfo field of an X.509 certificate […]” 

 

So, it includes how the SLH-DSA OID can be used in X.509 cert public keys as well, but it does not mention how to use the signatures. 

 

 

From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org> > On Behalf Of Mike Ounsworth
Sent: Tuesday, February 13, 2024 8:37 AM
To: draft-ietf-lamps-dilithium-certificates@ietf.org <mailto:draft-ietf-lamps-dilithium-certificates@ietf.org> 
Cc: 'LAMPS' <spasm@ietf.org <mailto:spasm@ietf.org> >
Subject: [EXTERNAL] [lamps] Can ML-DSA be used in CMS?

 


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

 

The answer obviously is Yes, but draft-ietf-lamps-dilithium-certificates does not actually say this.

 

I was reading a draft ICAO ePassport document yesterday that correctly points out that IETF has a draft for how to use ML-DSA into X.509 certificates, but no draft for how to use ML-DSA in CMS.

 

Authors of draft-ietf-lamps-dilithium-certificates, if you add a section “Signed-data Conventions” modelled after RFC8419, then I think that saves us from needing a whole second ML-DSA draft.

 

---
Mike Ounsworth
Software Security Architect, Entrust

v2.23.0 | Report a Bug | By Email