IETF Logo Mail Archive

[lamps] let's move beyond X.509 for PQC transition...

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 31 January 2023 21:48 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9F90C151551; Tue, 31 Jan 2023 13:48:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cKehDNvqTJlF; Tue, 31 Jan 2023 13:47:57 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on20730.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACB2EC151539; Tue, 31 Jan 2023 13:47:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mXEd16+Tf1PhYVO+TzGoI1bRtZAyoD4Zus64HL+opMNUEFJ8uer1L6TMnXp3v/keT6mwzUbn+nq8yO95hP/KA0YNOLzv983H8vpL6E6/fccKt7dILDTvwEXOENdyeK8gByslDVezdhIpeiJm7Pkim26wxzyPw/bMv2x6WfKt07Bmd8IYfIVz/qKGkaS5KkterIZsP3Sm1u40Rwv+Ury8RYrqi1Ym/Y3dIwWx8RvQpvtoXDd5GStM7jS8FO7mYrhYomBWPt4EHrImc0J5wsG+oMNyo/sbLmVg1puyxp61L+LiAHyM18hQMYhZcH9cGLgr21zrpKtrhxLVOnWOaUiObQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iIsdA585ftgNSHI8pZOY2Gub4vzThsR7SOYxPn4YZow=; b=KUZJcV3onvIC48TjJ7QreoixBWuhPVToeJhymVK9k5q7uL0vvMlreE2QzuYje6t3Xz9leKbdowlVr71oqGKIwsjzfo35mbI8Dj/+hfWhLegpBdSKWmZiC0NaLehPMBACKBxFuvRLkim3SN31RcbM6IJ0kWaeRiQcO1l8exq5TlwmeGSUctDJnwDQqCKC8IOTA4yv66jRc2gJ6UMqebFdunGOP0AurCXvGSdIfFZ6YZvXFg9o5T1gnH9vhXVBnHG2u1DHmKnoYopug+FTLj+4JRGvolGMWuw4eWwtQPIYQMkuAFEEdd2CBVYxL2lw2yQLlrip+QkavEUVQRyJc44MHg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iIsdA585ftgNSHI8pZOY2Gub4vzThsR7SOYxPn4YZow=; b=jE3FaNscjvdVdjNQssHxSRn6QeL2/TvfxanB+QhUzZeArkoDEcTZGSQI9CIanW8unrC2fLjKMgjYKapx09PLcyadRHPlNnC2hhCxDt0vfii0vXWJH/rT0/eLVb6hrUqQMj49VnMyUcXGGSAyOKPFrv10zI7kIK/aG4cMbo3kH8EXqvvgY/p0AnSOaFd/uVA4vN7UPf6c+agUAeFW3XBY24TqCpJrNrg9h0/2BLVOr34lTxa78VDug7XLsAFEc5/y4wHeNUjUXdTmbAVVNi1KE+wZSuxNTMJH5LYPJ19Tt5MTJX/wZpY6XqZscc0Kf5sd4SIU2a22jhYPo1GzyJ5rGQ==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by GV2PR02MB8578.eurprd02.prod.outlook.com (2603:10a6:150:76::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.38; Tue, 31 Jan 2023 21:47:50 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::47ff:ce7d:4074:b349]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::47ff:ce7d:4074:b349%7]) with mapi id 15.20.6043.038; Tue, 31 Jan 2023 21:47:50 +0000
Message-ID: <7466301a-cacf-716b-f88d-df6df9e37672@cs.tcd.ie>
Date: Tue, 31 Jan 2023 21:47:48 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: "pqc@ietf.org" <pqc@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------oy0HFV0vc40j1Fn9qNBteyh6"
X-ClientProxiedBy: DUZPR01CA0049.eurprd01.prod.exchangelabs.com (2603:10a6:10:469::9) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|GV2PR02MB8578:EE_
X-MS-Office365-Filtering-Correlation-Id: 83b7a804-a630-4e7f-2714-08db03d4cc79
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: uppF1ANNxIh/pcf18ZHvV48BR9LVRK31fyMvgxgKpbCxWMjoj02q7rO6Z8KrJk0obOHVfX1HlWabl8mWD3aQP9LZCus/VFcMRiV13IdgljRGH+KiNz2XgX9AZzEp/hpcihxYYJrIh4DQGbOqL3lts8BgDT2rlctdMhvwRD9w5tME6bqObeALrf3XZploSURdLd5TP5XQn3HxnN3szVslovWXiAUcZL3VjRjqES5DN6fjsuzva5RSdBsrWTBMEJfkzpoFHd7KowSfecttdg+Gnofd6hyeHgwPCP45JbwLdcs8RrqZCZXCDZuAvVS5t2tIITUmEigVvALgQIgxaIZmBtdD62mbn8xnsLtknSMlU+ivgNnOQFyCNUXuSbx8o65HgpM2v+YXLul9X2x0CGi8+C4yaUtFE3hfaiYpWYnpKNBjyGe8iRsdt/+gOgyrGo7q9aBN5G+gxXZLn4mgHlRbafeL5tyl7/lWOfp8sSJnqkR6bVbrd9Fj1F17s1SjhCn5BT1cg5GKInru2ZoMx0t+qSbL9HH/KBOJcr5TnvmihuYAl1NyOMPy9WqMUHOtVJXSh++xW3DKGdmg84pjPcR+Cd2GZlqD4rre9YN6QhK99N7UMn/xtuO+5aZm79SSIpDFdulFmNj282TY5binSeyJDswqaW/6s9xQe/lwtH/HfPepBKddj6U1u67KdoHbURK+QOg51efH7l9oU3ZicrKJc7WZE/xZF1R5iM74yGTYM24=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(366004)(396003)(346002)(136003)(376002)(39860400002)(451199018)(31686004)(8936002)(41320700001)(21480400003)(2616005)(186003)(6512007)(33964004)(6506007)(5660300002)(41300700001)(66476007)(36756003)(235185007)(66946007)(6916009)(450100002)(31696002)(8676002)(66556008)(786003)(2906002)(38100700002)(478600001)(316002)(44832011)(6486002)(83380400001)(86362001)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: Ypqqm72Lzlrvujgqfx63s2SQKHynoByT7Rqnq3ojybv/QA/uh/wv6bYDlp6c32NZlww1l+xgpQnHuvtz8jQds0K3Gx8Bz78tyc+s73m3PfUqRNugEdDiyB/HROWKKE8BWr2hzxCz6IGxvRUUf3UBw+U5wEv5K1pwRC7btljR3CZFCVZ45yWbCmA5XCWMwRpvr73kbZWAmR9/JOtCGwthLG/xAxlQQyuxRWUGNgG4b9cX4POmDg+2HUCZYv1gW5fncY+o0kY58G2BMe4GDV2y5iAbzFX/FowLA/L4F2fivoioGobAi1rpdjah0z1yG85hGonoWCpo+S1PUXzZVsp3pAokzHIE4mfPZAMiO+xKWAMxFa/DvLx/+mGd7N2ZJKTgnnVnLA07+BvHNCmNS0MQz7/U/Au3ltog7kdzxbetP6fpHrNTPkdVra2u+hpxJX2CU+qMJkhoP/6V+HdVj0bJnfG0VPSM/BV9elukmcqm48/ws4Do7W5ezLK6Ya2iaKCIvTfc7CYjfxiH7OxT6mU4UWwLtK441L8MgIKvgdbVufT8L7Cc6vPebc8SsiqUdbmuiIScaQzr+3YTgOcXW8ESadTvFHcYni9hS2qdnW76PRDp2K7DZbH5gZc2CIGXJASZasJYfA+K8HnQonG6jPaitcAOFNQkFU9zactxcZlDdp/y1VKEC1SOaY5c3mdVkOG8UnRexEHtChVy1K9FWTjcJHwDbbZwjWITMKCegKIuyu64k0DUgncs0VS6CLOzm/bsHHmKrysFLKwlLaR90beCRhxRjq8FdpW5wFuKmv6wRe4ljh772b1HbBBkSD9DJNb55TmYEWW01h24CHXVVlHnd7Yql44CDRng9woGzFC+YVEmTHvp1UmQGws0Kgwv7hWeb7puUODQHGMZNf9NHnXTezUUxGT57eI0BM9zjuYi/tjtRGi0qIQNkKoepYD7lkZSHUEcWlLAa7Gkr83zqVIe67vTYhaz6ECnM2iHeZtCbmepA48q/HdnvXnxv0cSH9z3EDGMTSnzSFnB1FvfE/t5LdDo+h+doGSlAtlgig9pK6Gp/V55en8AhXZ0pob/2bwr38UudJFnpQJtydiEuw/nPq8c40V5iCgxiu3RWZWtLbswE1uHJxmbZjnsesCz3q8dKPE9Kr1AAa40tV4Jmd1kUQ7S2MbR/w2bKpEmBb2S8b7nG/kFzb4mlNzLSahy2EjeoEpJhZI72rTopAITD+oNLnhytorK72gtKo7spW3MSAw8g6OnpKrfElZAe8LfL0RJT7HKsEbHC3MOM+EsBpdIwJ4xJKROsVMb7nbVhV5tjgiqZ9UomgK9HzhWxA+qYX4M/CiTYQETMA+J3iPHxr/L3YuU8thusbmB9/wGgOl4ohL8suk6IDTC6Pzbbu/x2YFII7AZmejpLSO32/9hzkUERJ/prY+ISRaWl/1lmvQvXds2HshZaJl6J5HILXvrUGQEO2p9MyzJdrC1gZ2buaUeGNLO+a7+Ykc4JsnWzzeiPMYg99FPWR7c3W05AIr1bULC5TNLRM33mVcUnpWYpblFcrzw86NY6WAg6TcMBe8WltemzLwsLNKtBoCD5kFeHiXxZU1Kc+6D2awEgPH/nfyKmeKMzhJqHZrIdQKqNBpZZlbm474tV0IronaggPP0SiuC
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 83b7a804-a630-4e7f-2714-08db03d4cc79
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Jan 2023 21:47:50.4467 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: r9mA58ByGQ0Jr6uK+wx7F/d79mA81d/3pgBf34A4ljeROu3esOKm0scdMnfSVuYr
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV2PR02MB8578
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ADXpknFnrOOMkLmMixvKzCOIBeQ>
X-Mailman-Approved-At: Tue, 31 Jan 2023 14:46:35 -0800
Subject: [lamps] let's move beyond X.509 for PQC transition...
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 21:48:01 -0000

Hiya,

(I've bcc'd the lamps wg list in case folks there but not
here are interested - there are related discussions on that
list at the moment.)

A number of people are proposing various ways to handle PQC
transitions while continuing to make use of X.509 format
certificates for PKI.

I think X.509, being nearly a 40 year old technology, should
by now have had its day, and the PQC transition seems like a
good opportunity to make the leap beyond the 20th century.

I've no specific proposal for what to do instead but would be
interested if others do, or if folks who happen to be at the
next IETF meeting do, or if people wanted to do a call to
discuss this topic. (There's a specific reason I've no
specific proposal btw - I don't see much point in any way of
handling this that doesn't have support from a bunch of folk,
so this seems like a topic where establishing a level of
interest first may be better.)

Cheers,
S.

PS: Note that I'm not saying that X.509 is awful (parts of it
are of course:-) or that we never should've used it (we were
right to invent X.509v3 back in the 1990's) or that X.509
based approaches can't do the job. I do strongly suspect
though that the attack surface for any X.509 based approach
to PQC transition will be a lot worse than necessary.

v2.40.4 | Report a Bug | By Email | System Status