Re: [lamps] Hybrid pkix isn't needed
Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 31 January 2023 15:51 UTC
Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30A5BC15152B for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 07:51:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxgRAwdpQkwc for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 07:51:40 -0800 (PST)
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam04on2072c.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8c::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DF91C14CF05 for <spasm@ietf.org>; Tue, 31 Jan 2023 07:51:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TsLAwnqzk39zkAg+t+Sy35dcdQn1BPe2hnUA9RhqwMeZIXwhKxCVwpfYJnbiCATLijubrAeI38so9+QP5QE7tSJ9aYYeoduwV4KMUVFZgexC6IkSYnxYrQonM5CD+2zNFbXW+EkgFzs9ct3FB2nPITrrAEfGAQUXSpZFXP/Rj1x4FbZI6QxJ/pq02e8oW25v1uWIb2FUylFDD+5BOmxHWmhDarP65JkoDCXLVsZagGPPoBaMGcwoSWkv3h920J6b5F2q+iY8Vb7vilqyWjHlWmkZA02cOvPgVEC/hZRpV3AO1u4J79ZCjhGKC7EnfmNirIWwDAj53vc8Um7JuisLXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mMLn1hJaajO09jJA17rIxhesfh2i5Xzc/kwUBmh1pHA=; b=Vv0KfBscW8qmFNMfum7PPompPI9uHlJMUSW4P6V+KdIDYGQTVsiATn3NlM+UCWlNu7GWQyKI/86ng8TXAQgxGjXQ0vPX+HO0iVesuYpuuc7iR0IcL9zfhvk8ZLwf7wzIH/dYirTZJaMq1s0F9wuMSxHo6WzZxB2O2mrvHqZPAntSkZTzLOJPjv2UwXZlkuJgwFsP/lZmB3E6vKa1jOkcVGLg//AnIVXwaVOcVWMA7qoEk8vqTEuCY3tMNbXh/8gydVOzL4b0EiY6jMWUPzY0+xkim+/9wsvpJVpGMXSljoWMdafoJnaFCcZbjcWJQbYNKSZlPFaC0blcfs2tlCO2ew==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mMLn1hJaajO09jJA17rIxhesfh2i5Xzc/kwUBmh1pHA=; b=GqA/N/N2F0R1JPr7azojYB39vONILTTbng4k+/Kd02Dn/J8SUi6NnBvXVs97NnupejepSPPHNjbhWhpvx4fu+KBQHxnZvblFJoYMlFngsqzfzLVJQme0T6X1Xob97jmoP3f6Xz5+85E+UFOLlHZ6lRbhg0NFHfHwT3UIhK5S4+eAc6cDTIckJoWWqE2jl3PKnHZB8CSJD6FHSpXJeQpx5BG2CJw9PlAeNPuEJ9Dcz1iO27jD5NqhQXlddf6CGxWim8dvGb99NLBmGzUg1/kNjlpkGW7D7ufLbbtldg5DhT5dJDUWTVPfNyFfKN2VF7EI36Z83MKHYF8gvyGo0RsOmA==
Received: from SJ0PR14MB5489.namprd14.prod.outlook.com (2603:10b6:a03:423::22) by PH7PR14MB6089.namprd14.prod.outlook.com (2603:10b6:510:207::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.38; Tue, 31 Jan 2023 15:51:33 +0000
Received: from SJ0PR14MB5489.namprd14.prod.outlook.com ([fe80::8b0b:76db:50a8:c41a]) by SJ0PR14MB5489.namprd14.prod.outlook.com ([fe80::8b0b:76db:50a8:c41a%8]) with mapi id 15.20.6043.033; Tue, 31 Jan 2023 15:51:33 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Carl Wallace <carl@redhoundsoftware.com>, Watson Ladd <watsonbladd@gmail.com>, Seo Suchan <tjtncks@gmail.com>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Hybrid pkix isn't needed
Thread-Index: AQHZNDuAnFqDvDDvMEe3CdG65ZSOAK62FJ4ggAE0pYCAAAV0AIAACLOigAEDgACAAEqJQA==
Date: Tue, 31 Jan 2023 15:51:33 +0000
Message-ID: <SJ0PR14MB54899D8AABB09F3D2C46632583D09@SJ0PR14MB5489.namprd14.prod.outlook.com>
References: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com> <DS7PR12MB5983E36300151BFC47E5CB34AAD39@DS7PR12MB5983.namprd12.prod.outlook.com> <CH0PR11MB57392033396F181A9853FAD79FD39@CH0PR11MB5739.namprd11.prod.outlook.com> <CACsn0c=n5TLZRywpRCQhpyoxX65OfA9p6e5iz9jKnnEVSX4zmQ@mail.gmail.com> <f04487ba-594d-ae24-828a-e08889c3b51e@gmail.com> <CACsn0cm_ggt-mzX2Sd_29bMBOBbBj6ozouZu0gSzg3LY2bDN-A@mail.gmail.com> <E8410219-6231-423B-8213-5ABCEA0ACCB9@redhoundsoftware.com>
In-Reply-To: <E8410219-6231-423B-8213-5ABCEA0ACCB9@redhoundsoftware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR14MB5489:EE_|PH7PR14MB6089:EE_
x-ms-office365-filtering-correlation-id: 22a9a898-55e9-4c8a-b751-08db03a30707
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZxEOvZTL+qWT1KIkv5k6Qtoej6A9WWurLCz6Mn7b0YvNnGUoNmzaRO7+I0fuXMfn3C2bZ0WaY3DlB7n3f62D/T98uYwBbp2jRy/3S+syrFyaYkiQRDybto55qcFrfHr+B9BBIx6q41F/mWSW2W+ZRV4gMWEul0lu1IOGcUx8ybYxlpeFYGT5Q9zx/E45qr61xqIedZcscPR2uBNO3lhGKh4F1hIEXJeMx/rnOD/bKMoQ4V1DSQzoPrIUg7OpMoLomfc39oFqBxxk6bpmwt/eoRwB4FUTkX3ZeL3wFeg3wOYhVpNqIteSgoG+3UeV8iLLv3fyEVvqBLFGQb5q83M3d3Qiu4LUBs4yjfwwPIT0WHLVfHRtNN/6Liza3xuIWH6F4/pili4na26wZAxPN0R+AW5Hn5+2fkyWyocz9FDuUOIEvaU56aT1VIYlLtQHr1ZeNqf9pwbw5fNuvETTQhH3f2IDwa3WgnBw5BR0DaiDJWKkULE2ZaRE/bgsaIDlD82odM3JLPGd8+hAdBHOw0jFc5UGjL1ThrXnZ0badVm/p1AZian6wL/Uq+xmSxaDPcs8Tw04Z3crOwZIm0KuBiTgQD3VbCq/bTCynw+O/UEMRzpUNEQIr4GbJ4eXIl61nxBpV+DRbBvq6EGOzhrUWHxrDjp+pat3krOrrB5v/CwPVNPRd2AjTknCyLrnqdhYNStxHxRw2K4+ltr16PJNIs0ABw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR14MB5489.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(366004)(136003)(396003)(39860400002)(376002)(346002)(451199018)(8936002)(2906002)(8676002)(4326008)(38100700002)(44832011)(478600001)(33656002)(186003)(6506007)(5660300002)(26005)(9686003)(7696005)(38070700005)(71200400001)(52536014)(55016003)(86362001)(41300700001)(83380400001)(66446008)(64756008)(76116006)(66556008)(66476007)(66946007)(122000001)(316002)(110136005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: D7A0qQEu6uixeczdwbpWx6kG5mWRxiSWaRngPQUXP5Ni+sHtH5CHi0U0Dw5GPWpSj371BuIuWANxuHsIqXFxgwZ4gkT/N3aguNSBGHEYIwpZuEteB5Wan+LwjrXFrZb+Vvl4pOHiF3z+xRD6LY8NjfRvhSh9jd3qYXgO/Fu99DmdKxoFO1vcMXM3VQf0Lp+OI4BlFNMYLBJ4EImnnfbfRAuy3F495Y35RLtR2kBhQQ1RX3IXCqg9JGF9NZ6SLFKDiSKv6uInka78Aw1jpK2yrn97Ttdy/dT+pwQYQScxwSQe6wCQ9PhWw+G/Oihbm/bfB1dKIwgbBWVG5qpSQmy2dGHUuY0fZhzH+iu2EnvOGI0lKXWezRFbT/iTD9r045rkKand7YRGSzSa3Lq2VooDmNSghSkrhH+1e1THmIfoiwibAQ04GUnHXagTktlEI5dy+5fyOiNZ6VfWENc9QWZsagkaLPgKPn+T37Sad2L6opkPihJ4DiTaSUMWfK66+L+OwrH29jkXsDdBmjL4g0jFnGtNxdpl/sIZwLrnkFz6RcuTAnAdJ66h5boqjKHFfkt3UP5lx8AoOVXWWjBCn8rqv0/nqL4dPDuDD0CIZWck9CyR1NB6vHDQPS2c1wyDektgYbMhCVyEcAwDu45E+5utBVEuaibzac6fGvNXKoBaxeVbvaVW4BvVtlKW4pxwDY2XQqawJCqGW8VN6JmCjGtj5Q7uK8FteNSllkeiS9imMXyqdTXo+Tej8rMJ90is0Ukk0NVG+9jcGZpUywUYK6brN1bKkNhOnHPuDW3oBOyz+D1zhG5innvhh0T4KOdyAYECB43c9hfe47iwGSpFdvIb1lsUf9hyGtt9xYlLFk3o50zjmSIc69vKlPVfWIicLAYK9bZLOU0kJpcSiVQ3ucZqCEqFuj2zbxbGbo7nfmq86S9cGyQOONd9/LTAIvTrQRI7IgY1Zc3FiVTrTfbGRAgs6uMtb+ebV5wfPR4+iJm2NxwMcafQ20TzWJ2lthCXfXUj6mwv0cR78GnmxVmZK5zPPJNaGM1sw6fALndHTBC9JSKuaetuHDEF4J85jKEgRKIoBumkInOIYxmDqNFgmSb9apEzVw/EyBooWJYR6JXjbAcF0kG4Z4OIeiqSFnerg+cBXKi+fxAlCCW1Um4Cbx+vuSg3nTdnmFkn4dU+eOwWQCUvBgkSDWhrp/K+ZtgCDRxBqV2RmdXEEp2rUo3pnlxHJBDAhKbSxbwQjiu1SS8Fpg/LjSPm2hLAQB6BTQZUGiLsD7RvMRgeWdCkX7Spr1CMbXuAJMQASKK0J8YuRb7AZhkObO6/vdZnp7+LC0rpBKNYmBGPsal38I5p0M3IMelZ4jilS8HkW2F6Q6UBSfZBvfl76DoXUMSM7t48JSNuEDIhtSui38kCd2kZYcnznXShPjmE/YTn+C1DUfIYbc6uD1J8Ie4izDwBcKFuNPxSlAyxHp0NJYkxoxk868Tv+MV50irBsn9h87bfDz233uhEEhcNAJKiEOZv1eo3igQqfaB9IQOfeY6bQXIFr/5Tv+Ht9RJELsOp3WQtT+z4IrQfK6b25JmBOZfu+1aB4QhE1yXK7jLDFKYrIFfHhjK7Dt/qyg==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR14MB5489.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 22a9a898-55e9-4c8a-b751-08db03a30707
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jan 2023 15:51:33.5243 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vghGewKHY9r/J4WKh6S6h6ij5vtass5sr36wKgdGI1trlnPAOpHYukOMIiBl/BCXRUrg6Tqk9J8cA77tNabiwfOl/0zisDnS9iSAjL7dAmo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR14MB6089
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/7bPgeKXNxZxvMD2JFnrmSAxfm2Q>
Subject: Re: [lamps] Hybrid pkix isn't needed
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 15:51:44 -0000
> Hash based schemes are secure if any signature scheme is secure. Even if we > want to hybridize, having hybrid keys in certs seems a lot simpler to me than > tying multiple certs through complex mechanisms. > > [CW] The PQC hackathon during IETF115 bears out that composite is not > difficult to implement. Interoperability was demonstrated between several > implementations fairly quickly. Also, while the security of hash-based encryption algorithms is trivial, the key management for hash-based algorithms is complex and dangerous which is why many of us who have been pushing them for about 5+ years now only feel comfortable with them as part of well-vetted HSM implementations. Key management for traditional single PQ pairs and for composite are much more straightforward. There are several use cases where hash-based signatures make a ton of sense, but their utility will decline over time as we gain confidence with the newer stateless NIST algorithms, and their key management challenges mean they are not the solution to all the world's problems. The same is true of composite certificates, to some extent. We really should be seeing more concrete analysis of how the transitions, including key management, will work at scale, and what special considerations are necessary for each particular use case, because it probably will be different. For example, TLS is an online authentication protocol (at least the relevant part here), and so negotiation and single certificates makes a lot of sense, but that doesn't mean there aren't a lot of useful discussions to be had about how pairs of key pairs need to be managed during the transition to avoid risks that will arise due to the transition process. Being able to play games with which key pairs do / do not go together will almost certainly be part of some of those shenanigans, which is why I think the discussions about how to do bindings is very useful. In situations where there is no online negotiation, multiple signatures and/or multiple keys might be part of the solution. Very few signature systems today support multiple signatures (the only major one I can think of is actually probably being replaced as part of the PQ transition anyway), so it's new development regardless of the strategy in most cases. Many of discussions that I've seen over the years claim that one strategy is clearly simpler than another, but in my experience, they're mostly just moving complexity around, and by not handling it in one particular way at one particular layer, they're forcing the same complexity (or worse) onto another layer and encumbering other techniques. Which strategy is best for each particular use case, and what the challenges and advantages / disadvantages are, is what we really need to be discussing in a careful way. But instead we get stuck in loops with messages that sound suspiciously like "technological concept X is bad and I don't like it," but with little actual analysis that moves the discussion forward. On the subject of composite certificates, unfortunately, some of the people involved have managed to make them far more complicated than they need to be (in my opinion, sorry guys), and this has unfortunately made them appear more complicated than they necessarily are. For example, I see little, if any, benefit to having more than two keys in a certificate. This is a technology that, to the extent it has a purpose, is enabling transitions to happen more smoothly and securely, by running the same cryptographic binding across the identities and both keys, which is the simplest possible way to express the binding. Which is why I was originally drawn to it. Two certificate transition strategies are also feasible, but then key management is more complex, and codifying the binding into the certificates is something that may also makes sense and simplifies key management. As a reminder, correct key management is always the hard part, but it isn't as fun to talk about, so it gets less attention. In all of these cases, the design is complicated by the fact that one of the two binding mechanisms grows weaker over time, so care needs to be taken about which aspects need only be trustworthy now, and which aspects need to continue into the future. This is why all of this technology needs to be carefully standardized with well written security consideration sections, because pitfalls and footguns abound, no matter how you try to do it. It's a complicated topic. All of this basically just means we still have a lot of work to do on figuring out, analyzing, and documenting exactly what each of these techniques can and can't achieve, and how they can be put together into systems that will help us transition all of our cryptosystems to newer, more secure versions on a relatively short timescale. It's an important problem and we're either going to do a good job of handling it, or we're not. I would prefer we work together on figuring out what's best for each of these transitions, as I've seen no evidence that there are any silver bullets out there that make any of them trivial. Except possibly TLS which keeps distracting us, when we really should probably put it down and come back to it after all the real problems are sorted. That one's pretty easy and not that time sensitive. -Tim
- [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] Hybrid pkix isn't needed Michael Markowitz
- Re: [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] Hybrid pkix isn't needed Tadahiko Ito
- Re: [lamps] Hybrid pkix isn't needed Ilari Liusvaara
- Re: [lamps] Hybrid pkix isn't needed Hubert Kario
- Re: [lamps] Hybrid pkix isn't needed Mike Ounsworth
- Re: [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] Hybrid pkix isn't needed Seo Suchan
- Re: [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] [EXTERNAL] Re: Hybrid pkix isn't need… Mike Ounsworth
- Re: [lamps] Hybrid pkix isn't needed Stephen Farrell
- Re: [lamps] Hybrid pkix isn't needed Tadahiko Ito
- Re: [lamps] Hybrid pkix isn't needed Ilari Liusvaara
- Re: [lamps] Hybrid pkix isn't needed Ilari Liusvaara
- Re: [lamps] Hybrid pkix isn't needed Carl Wallace
- Re: [lamps] [EXTERNAL] Re: Hybrid pkix isn't need… Mike Ounsworth
- Re: [lamps] Hybrid pkix isn't needed Phillip Hallam-Baker
- Re: [lamps] Hybrid pkix isn't needed Tim Hollebeek