Re: [lamps] Hybrid pkix isn't needed

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 31 January 2023 15:51 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30A5BC15152B for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 07:51:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxgRAwdpQkwc for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 07:51:40 -0800 (PST)
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam04on2072c.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8c::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DF91C14CF05 for <spasm@ietf.org>; Tue, 31 Jan 2023 07:51:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TsLAwnqzk39zkAg+t+Sy35dcdQn1BPe2hnUA9RhqwMeZIXwhKxCVwpfYJnbiCATLijubrAeI38so9+QP5QE7tSJ9aYYeoduwV4KMUVFZgexC6IkSYnxYrQonM5CD+2zNFbXW+EkgFzs9ct3FB2nPITrrAEfGAQUXSpZFXP/Rj1x4FbZI6QxJ/pq02e8oW25v1uWIb2FUylFDD+5BOmxHWmhDarP65JkoDCXLVsZagGPPoBaMGcwoSWkv3h920J6b5F2q+iY8Vb7vilqyWjHlWmkZA02cOvPgVEC/hZRpV3AO1u4J79ZCjhGKC7EnfmNirIWwDAj53vc8Um7JuisLXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mMLn1hJaajO09jJA17rIxhesfh2i5Xzc/kwUBmh1pHA=; b=Vv0KfBscW8qmFNMfum7PPompPI9uHlJMUSW4P6V+KdIDYGQTVsiATn3NlM+UCWlNu7GWQyKI/86ng8TXAQgxGjXQ0vPX+HO0iVesuYpuuc7iR0IcL9zfhvk8ZLwf7wzIH/dYirTZJaMq1s0F9wuMSxHo6WzZxB2O2mrvHqZPAntSkZTzLOJPjv2UwXZlkuJgwFsP/lZmB3E6vKa1jOkcVGLg//AnIVXwaVOcVWMA7qoEk8vqTEuCY3tMNbXh/8gydVOzL4b0EiY6jMWUPzY0+xkim+/9wsvpJVpGMXSljoWMdafoJnaFCcZbjcWJQbYNKSZlPFaC0blcfs2tlCO2ew==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mMLn1hJaajO09jJA17rIxhesfh2i5Xzc/kwUBmh1pHA=; b=GqA/N/N2F0R1JPr7azojYB39vONILTTbng4k+/Kd02Dn/J8SUi6NnBvXVs97NnupejepSPPHNjbhWhpvx4fu+KBQHxnZvblFJoYMlFngsqzfzLVJQme0T6X1Xob97jmoP3f6Xz5+85E+UFOLlHZ6lRbhg0NFHfHwT3UIhK5S4+eAc6cDTIckJoWWqE2jl3PKnHZB8CSJD6FHSpXJeQpx5BG2CJw9PlAeNPuEJ9Dcz1iO27jD5NqhQXlddf6CGxWim8dvGb99NLBmGzUg1/kNjlpkGW7D7ufLbbtldg5DhT5dJDUWTVPfNyFfKN2VF7EI36Z83MKHYF8gvyGo0RsOmA==
Received: from SJ0PR14MB5489.namprd14.prod.outlook.com (2603:10b6:a03:423::22) by PH7PR14MB6089.namprd14.prod.outlook.com (2603:10b6:510:207::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.38; Tue, 31 Jan 2023 15:51:33 +0000
Received: from SJ0PR14MB5489.namprd14.prod.outlook.com ([fe80::8b0b:76db:50a8:c41a]) by SJ0PR14MB5489.namprd14.prod.outlook.com ([fe80::8b0b:76db:50a8:c41a%8]) with mapi id 15.20.6043.033; Tue, 31 Jan 2023 15:51:33 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Carl Wallace <carl@redhoundsoftware.com>, Watson Ladd <watsonbladd@gmail.com>, Seo Suchan <tjtncks@gmail.com>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Hybrid pkix isn't needed
Thread-Index: AQHZNDuAnFqDvDDvMEe3CdG65ZSOAK62FJ4ggAE0pYCAAAV0AIAACLOigAEDgACAAEqJQA==
Date: Tue, 31 Jan 2023 15:51:33 +0000
Message-ID: <SJ0PR14MB54899D8AABB09F3D2C46632583D09@SJ0PR14MB5489.namprd14.prod.outlook.com>
References: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com> <DS7PR12MB5983E36300151BFC47E5CB34AAD39@DS7PR12MB5983.namprd12.prod.outlook.com> <CH0PR11MB57392033396F181A9853FAD79FD39@CH0PR11MB5739.namprd11.prod.outlook.com> <CACsn0c=n5TLZRywpRCQhpyoxX65OfA9p6e5iz9jKnnEVSX4zmQ@mail.gmail.com> <f04487ba-594d-ae24-828a-e08889c3b51e@gmail.com> <CACsn0cm_ggt-mzX2Sd_29bMBOBbBj6ozouZu0gSzg3LY2bDN-A@mail.gmail.com> <E8410219-6231-423B-8213-5ABCEA0ACCB9@redhoundsoftware.com>
In-Reply-To: <E8410219-6231-423B-8213-5ABCEA0ACCB9@redhoundsoftware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR14MB5489:EE_|PH7PR14MB6089:EE_
x-ms-office365-filtering-correlation-id: 22a9a898-55e9-4c8a-b751-08db03a30707
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZxEOvZTL+qWT1KIkv5k6Qtoej6A9WWurLCz6Mn7b0YvNnGUoNmzaRO7+I0fuXMfn3C2bZ0WaY3DlB7n3f62D/T98uYwBbp2jRy/3S+syrFyaYkiQRDybto55qcFrfHr+B9BBIx6q41F/mWSW2W+ZRV4gMWEul0lu1IOGcUx8ybYxlpeFYGT5Q9zx/E45qr61xqIedZcscPR2uBNO3lhGKh4F1hIEXJeMx/rnOD/bKMoQ4V1DSQzoPrIUg7OpMoLomfc39oFqBxxk6bpmwt/eoRwB4FUTkX3ZeL3wFeg3wOYhVpNqIteSgoG+3UeV8iLLv3fyEVvqBLFGQb5q83M3d3Qiu4LUBs4yjfwwPIT0WHLVfHRtNN/6Liza3xuIWH6F4/pili4na26wZAxPN0R+AW5Hn5+2fkyWyocz9FDuUOIEvaU56aT1VIYlLtQHr1ZeNqf9pwbw5fNuvETTQhH3f2IDwa3WgnBw5BR0DaiDJWKkULE2ZaRE/bgsaIDlD82odM3JLPGd8+hAdBHOw0jFc5UGjL1ThrXnZ0badVm/p1AZian6wL/Uq+xmSxaDPcs8Tw04Z3crOwZIm0KuBiTgQD3VbCq/bTCynw+O/UEMRzpUNEQIr4GbJ4eXIl61nxBpV+DRbBvq6EGOzhrUWHxrDjp+pat3krOrrB5v/CwPVNPRd2AjTknCyLrnqdhYNStxHxRw2K4+ltr16PJNIs0ABw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR14MB5489.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(366004)(136003)(396003)(39860400002)(376002)(346002)(451199018)(8936002)(2906002)(8676002)(4326008)(38100700002)(44832011)(478600001)(33656002)(186003)(6506007)(5660300002)(26005)(9686003)(7696005)(38070700005)(71200400001)(52536014)(55016003)(86362001)(41300700001)(83380400001)(66446008)(64756008)(76116006)(66556008)(66476007)(66946007)(122000001)(316002)(110136005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: D7A0qQEu6uixeczdwbpWx6kG5mWRxiSWaRngPQUXP5Ni+sHtH5CHi0U0Dw5GPWpSj371BuIuWANxuHsIqXFxgwZ4gkT/N3aguNSBGHEYIwpZuEteB5Wan+LwjrXFrZb+Vvl4pOHiF3z+xRD6LY8NjfRvhSh9jd3qYXgO/Fu99DmdKxoFO1vcMXM3VQf0Lp+OI4BlFNMYLBJ4EImnnfbfRAuy3F495Y35RLtR2kBhQQ1RX3IXCqg9JGF9NZ6SLFKDiSKv6uInka78Aw1jpK2yrn97Ttdy/dT+pwQYQScxwSQe6wCQ9PhWw+G/Oihbm/bfB1dKIwgbBWVG5qpSQmy2dGHUuY0fZhzH+iu2EnvOGI0lKXWezRFbT/iTD9r045rkKand7YRGSzSa3Lq2VooDmNSghSkrhH+1e1THmIfoiwibAQ04GUnHXagTktlEI5dy+5fyOiNZ6VfWENc9QWZsagkaLPgKPn+T37Sad2L6opkPihJ4DiTaSUMWfK66+L+OwrH29jkXsDdBmjL4g0jFnGtNxdpl/sIZwLrnkFz6RcuTAnAdJ66h5boqjKHFfkt3UP5lx8AoOVXWWjBCn8rqv0/nqL4dPDuDD0CIZWck9CyR1NB6vHDQPS2c1wyDektgYbMhCVyEcAwDu45E+5utBVEuaibzac6fGvNXKoBaxeVbvaVW4BvVtlKW4pxwDY2XQqawJCqGW8VN6JmCjGtj5Q7uK8FteNSllkeiS9imMXyqdTXo+Tej8rMJ90is0Ukk0NVG+9jcGZpUywUYK6brN1bKkNhOnHPuDW3oBOyz+D1zhG5innvhh0T4KOdyAYECB43c9hfe47iwGSpFdvIb1lsUf9hyGtt9xYlLFk3o50zjmSIc69vKlPVfWIicLAYK9bZLOU0kJpcSiVQ3ucZqCEqFuj2zbxbGbo7nfmq86S9cGyQOONd9/LTAIvTrQRI7IgY1Zc3FiVTrTfbGRAgs6uMtb+ebV5wfPR4+iJm2NxwMcafQ20TzWJ2lthCXfXUj6mwv0cR78GnmxVmZK5zPPJNaGM1sw6fALndHTBC9JSKuaetuHDEF4J85jKEgRKIoBumkInOIYxmDqNFgmSb9apEzVw/EyBooWJYR6JXjbAcF0kG4Z4OIeiqSFnerg+cBXKi+fxAlCCW1Um4Cbx+vuSg3nTdnmFkn4dU+eOwWQCUvBgkSDWhrp/K+ZtgCDRxBqV2RmdXEEp2rUo3pnlxHJBDAhKbSxbwQjiu1SS8Fpg/LjSPm2hLAQB6BTQZUGiLsD7RvMRgeWdCkX7Spr1CMbXuAJMQASKK0J8YuRb7AZhkObO6/vdZnp7+LC0rpBKNYmBGPsal38I5p0M3IMelZ4jilS8HkW2F6Q6UBSfZBvfl76DoXUMSM7t48JSNuEDIhtSui38kCd2kZYcnznXShPjmE/YTn+C1DUfIYbc6uD1J8Ie4izDwBcKFuNPxSlAyxHp0NJYkxoxk868Tv+MV50irBsn9h87bfDz233uhEEhcNAJKiEOZv1eo3igQqfaB9IQOfeY6bQXIFr/5Tv+Ht9RJELsOp3WQtT+z4IrQfK6b25JmBOZfu+1aB4QhE1yXK7jLDFKYrIFfHhjK7Dt/qyg==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR14MB5489.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 22a9a898-55e9-4c8a-b751-08db03a30707
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jan 2023 15:51:33.5243 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vghGewKHY9r/J4WKh6S6h6ij5vtass5sr36wKgdGI1trlnPAOpHYukOMIiBl/BCXRUrg6Tqk9J8cA77tNabiwfOl/0zisDnS9iSAjL7dAmo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR14MB6089
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/7bPgeKXNxZxvMD2JFnrmSAxfm2Q>
Subject: Re: [lamps] Hybrid pkix isn't needed
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 15:51:44 -0000

> Hash based schemes are secure if any signature scheme is secure. Even if we
> want to hybridize, having hybrid keys in certs seems a lot simpler to me than
> tying multiple certs through complex mechanisms.
> 
> [CW] The PQC hackathon during IETF115 bears out that composite is not
> difficult to implement. Interoperability was demonstrated between several
> implementations fairly quickly.

Also, while the security of hash-based encryption algorithms is trivial, the key
management for hash-based algorithms is complex and dangerous which
is why many of us who have been pushing them for about 5+ years now only
feel comfortable with them as part of well-vetted HSM implementations.

Key management for traditional single PQ pairs and for composite are much
more straightforward.

There are several use cases where hash-based signatures make a ton of sense,
but their utility will decline over time as we gain confidence with the newer
stateless NIST algorithms, and their key management challenges mean they are 
not the solution to all the world's problems.

The same is true of composite certificates, to some extent.  We really should
be seeing more concrete analysis of how the transitions, including key management, 
will work at scale, and what special considerations are necessary for each 
particular use case, because it probably will be different.  For example, TLS is 
an online authentication protocol (at least the relevant part here), and so 
negotiation and single certificates makes a lot of sense, but that doesn't mean 
there aren't a lot of useful discussions to be had about how pairs of key pairs 
need to be managed during the transition to avoid risks that will arise due to 
the transition process.  Being able to play games with which key pairs do / do 
not go together will almost certainly be part of some of those shenanigans, 
which is why I think the discussions about how to do bindings is very useful.

In situations where there is no online negotiation, multiple signatures and/or 
multiple keys might be part of the solution.  Very few signature systems today 
support multiple signatures (the only major one I can think of is actually 
probably being replaced as part of the PQ transition anyway), so it's new 
development regardless of the strategy in most cases.  

Many of discussions that I've seen over the years claim that one strategy is 
clearly simpler than another, but in my experience, they're mostly just 
moving complexity around, and by not handling it in one particular way at 
one particular layer, they're forcing the same complexity (or worse) onto 
another layer and encumbering other techniques.  Which strategy is best 
for each particular use case, and what the challenges and advantages / 
disadvantages are, is what we really need to be discussing in a careful way.  
But instead we get stuck in loops with messages that sound suspiciously like 
"technological concept X is bad and I don't like it," but with little actual 
analysis that moves the discussion forward.

On the subject of composite certificates, unfortunately, some of the people 
involved have managed to make them far more complicated than they 
need to be (in my opinion, sorry guys), and this has unfortunately made them 
appear more complicated than they necessarily are.  For example, I see little, 
if any, benefit to having more than two keys in a certificate.  This is a 
technology that, to the extent it has a purpose, is enabling transitions to 
happen more smoothly and securely, by running the same cryptographic 
binding across the identities and both keys, which is the simplest possible 
way to express the binding.  Which is why I was originally drawn to it.

Two certificate transition strategies are also feasible, but then key management 
is more complex, and codifying the binding into the certificates is something that
may also makes sense and simplifies key management.  As a reminder, correct
key management is always the hard part, but it isn't as fun to talk about, so it
gets less attention.

In all of these cases, the design is complicated by the fact that one of the two 
binding mechanisms grows weaker over time, so care needs to be taken about 
which aspects need only be trustworthy now, and which aspects need to 
continue into the future.  This is why all of this technology needs to be carefully
standardized with well written security consideration sections, because pitfalls
and footguns abound, no matter how you try to do it.  It's a complicated topic.

All of this basically just means we still have a lot of work to do on figuring out, 
analyzing, and documenting exactly what each of these techniques can and 
can't achieve, and how they can be put together into systems that will help us 
transition all of our cryptosystems to newer, more secure versions on a relatively 
short timescale.  It's an important problem and we're either going to do a good 
job of handling it, or we're not.  I would prefer we work together on figuring 
out what's best for each of these transitions, as I've seen no evidence that there 
are any silver bullets out there that make any of them trivial.  Except possibly 
TLS which keeps distracting us, when we really should probably put it down 
and come back to it after all the real problems are sorted.  That one's pretty 
easy and not that time sensitive.

-Tim