IETF Logo Mail Archive

[lamps] Re: [EXT] Re: WG Last Call for draft-ietf-lamps-kyber-certificates-07

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 10 January 2025 19:01 UTC

Return-Path: <prvs=51050e534f=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E6F4C14CF1A for <spasm@ietfa.amsl.com>; Fri, 10 Jan 2025 11:01:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lqQsOKltoghe for <spasm@ietfa.amsl.com>; Fri, 10 Jan 2025 11:01:27 -0800 (PST)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) by ietfa.amsl.com (Postfix) with ESMTP id 3CD62C15108D for <spasm@ietf.org>; Fri, 10 Jan 2025 11:01:26 -0800 (PST)
Received: from LLEX2019-02.mitll.ad.local (llex2019-02.mitll.ad.local [172.25.4.98] (may be forged)) by MX2.LL.MIT.EDU (8.18.1.2/8.18.1.2) with ESMTPS id 50AIwsFr050922 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <spasm@ietf.org>; Fri, 10 Jan 2025 13:58:54 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=vBuXcBJIfyoW762ursTGPf7IQzvHn75qM/4zKolLosLBZHeiLtaMGVBUqVQKAK7PjertidK2268HHERV1eNxmEY6Dl2iWI4warvYT2Bh/cZKRXmhlpb+jC5uDL/GmaKxj74ad1WYE8CWHFumr9wWD62l9EBQQ8D2jyZyvk955QvkvEjwutycygkaF7SPkgVuvj+EPeiJi4HISZrDxlCCc7agO11hGxYXFElyIisrZddCkcQvFqSunkfBUtULplFuh8/BXRArHSum5LXe9oxI3sjDuKx12UBV/ytrcAphcZp2wMgmR0QKY/7PuI8Ruwz0Icm3Ek0VnGIKApEqGdMNzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wbQuPCO0DHQP2xGuLxAvq+8u0ht7iJPyQeW3o/F0KXg=; b=ZbSN1SkN2WEx0q4cQebGKMu6hqkypKvdi4gu0C3ZvHDgEiETxWi3teS252qqau2dLaq3xV4Jr8Wolpu58SwEJPUFNa3gCi4HimjeyHCKjeDF6HOcz2DhSFFaXW8+wdGbrIVqxaCvZVdSzLIzQIERgUYRepYyuvp+HndwgvIlen5EsN/txKQswPQIZEjZjyMBf9Lp1MLCr5AtefFsM0Z8gr2VPf4OKdVl2h9Vl4w5zV9vhzi4VAN0RESy2b6cyqaNb0BWS7Lb72BCGECVfaI/9O5f22/l4GezaMXPqPSexgNvFmrpXuG3+tcrRLV8A3VKCQF0QmG67OLJ02FQ9yaRig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [EXT] [lamps] Re: WG Last Call for draft-ietf-lamps-kyber-certificates-07
Thread-Index: AQHbY5CwjbL+yp/gVk+k0sNUlhbdZLMQXFjt
Date: Fri, 10 Jan 2025 19:01:23 +0000
Message-ID: <BN0P110MB141929C5B20602C80DA62144901CA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
References: <1B633295-9219-4B86-B241-E6095E52D209@vigilsec.com> <20250110185004.93407.qmail@cr.yp.to>
In-Reply-To: <20250110185004.93407.qmail@cr.yp.to>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|BN0P110MB1644:EE_
x-ms-office365-filtering-correlation-id: 408ba26b-2464-429e-0365-08dd31a92d04
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|4022899009|366016|7053199007|8096899003|38070700018;
x-microsoft-antispam-message-info: hGmMyYuTO+Duico7sXye+MesowBbq0aAJudt7x+R5COdVd/DxOrryXLnVVAu52QBdzX7fktk4irX8Mkl2gtXBmq8aWZ5/j7Y7CKAuovyYFZ/dIoqNKL9YK1uibK4lBS0AJNACbUni6gIiIS/oi8THeVQGCrx6+TtfZH59KKDHEVkXztb+aYP2mnyblHsLmQS/jPcj698D8Uc4IBYBgaTPg4PK9XdtDtuyLkg7X2cG3jR+Jh1mizFExiIjct71Nngko4+P7Ja7u5oqkww+NblrCL1LO9kQV9ze+CDGPE4tC3K6LUSe+F3PBiBS1inOhWDrBu9WYrFuMUgu1NxZt8V5zmXQJFfkWUQHiatNuexaay+pa5kNDkpb5B6sFpeesIiBTkT8OrLooOVYJnHAxeC42oiwOslT/gpYYqz8PUl0AlGk/5knTAIjPX1kS3TmZDcZ3g3hFGjrvRoVdGB6dcF22XfTZjmCuz6w5LMC9nLxVq8c/1TV+Ebm4Nr/XKrl1jI2FwjG+ZkcesFIkYO9R1fPPFgEKMp68POHOHDedGQ1rrLqCrSAmq6SDxhzJnoI0Q1dwktB83l7yXKvskgd/ZVi7UhqtOIiLfMdkdac9Hn50Kmu7LnpDg2DS3JAELfJHYlKqKnomvbnSAn+9i4FvEOHbST9tIFrLIXhFxTqKLl8sHIKEQILuRZ7k8P2mknKB+oORG4YkilzEGuykHhBqWLao3FR13P98Gcs4fZApvY7v5HgA1XaUY6xMS25YuN1fNIds0TAqPk21vNyTHK5D2oJ28s8s9BwMv3o+qBPwUWzJ6FLDi5vr3ft8/d43zInoSOnmsaUpl2U7Hbft4We8uOB9xUiK47347gzp13o/dNsq2x3jWgIZUWhSPJX3BzWXbB6ub0/U3UTcsoSfcuUR6XJMN2DMyFaST09+ADVpE9ptcfdXAbd2VufFwX3/o2z7piy8n5PMISKoliEbePL/s7NNdi2GkAPIO4Lh/q3b064QNljPVEd1hjFNJeAcSN0eblhVPjCq3LoJB8pUv8L+2+/yJO5OmEUa+i7E29tpfdJwwKCgoKWd6ngJcrdRzbw1LuAUrBfDGjsodeLjR2Sndor62ZuLr5ktm2boj4Fpj+kQZTaZf0e/FIyoOf1lENMpc0LCJVqXPDMt134qt3TffXygh0qMOpTRHz9HH1qwwu6UyjBb9CzDhLkPrNq4h/zk67vCZ6kXH7mhtflSZQKzHDpu5zI58N0xjOpQvxvnZhHT+8O8cgWU2SVwzlYYkXIRPdOzKpZ4pJHbQPUIITQTTyN+/YJaRiPcFuRyjDvVay8hCuBl3Kn493ch56LP+/ZEHFJ+Y6H/eKIFIsyHgmKGFjNw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(4022899009)(366016)(7053199007)(8096899003)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 1o5/HPmTmNAdJiI9+pUW4R9KlLtI06xQ3LwjFOAYP/7tMC0qVCeMRVIiYHhl/hcDC0VRgl1M0+M5yptkBTg6+k0Xexfo3XeIYW+izGUFgmPTSWsrCk+p18gyEISGCjmCVIbnF3W+9yL5y037qL1i+S1H+Lxh3oIly/U8mCEdxEweYY8+tbUQUSHl2BaAcXxW9NrEAi/qzT30ejUiIcgN81vFKWVQL5Vk+Pe3/w7M6PwzwtvkcGqyvl37UfaZnZmnk57wyG36h5qus3s6NVCIH4che4qNVldy0fWlj43TAf5nTjbLqPxWrUDrzcj8HC1dVZxOggEopXza1CsirP+FOBLx4eLRufcxgd/VqAUCPTHvw91KPCD7bc8c6rFD8+ggzivWXkVOZQX8JuzJro9FqvoQVwfrtKOGlVT6R41ROJosI9qrWJjgrMdj7rE7d0TvdUDd3gOSBZ75M3lXM3Mlnm0sa+H4bfB9jzdwilMfWRB/2Oz2JrVkx/E05uG+45aIUdg9Ls46lmYoZMhLI3mMYNfuInTNPEvvtoCXsId26vYjS9hDUo6imezAQY3gdoHaCqeXlH6ouw7iDrhJbqCKbNUxAI9WIauIV04ohY/Ow3neUnBN2hZgVgo6AF57nKOsFuy59+HAqpuZcVSV8IDKtA3meqsBvInSWDeQgPs0g7Wm6Pds6cOm/d3AE5bAzvY8ydN2BdnBb0esEZDB/8jy1O1wGcYlgAQ4AcGAZ0Y5zjPE7NWkBXXhUCBt5syX9GJINteh6mbdMx3yKIdPXlBhmQZ+7SHpYoQGSTIDcbmZ1cDTbrmfzaKOz++Kx15Wuuas4DUZG8Mr6S7sQ3HUyMUQQgDE0qBYs+Yq460g0mKaiLm4B9uaaGG5ChxFvssOYC0dlZXsPqI0MnuHye1wimTcHH443cZs4FFv9aZoVQX/uLvXaA4h+y9KbHrij2XcAAlM3HSVtYGyVrWMQicT/k09ACW/zQU9z2wItxv9tSm/OgvLjkok4gMfn/YPs9lipqjNnKKDCF8NNLOZu67Jzvtdpmz9Qpl0q9KeXB3dg/tM7COywckQJnMYW6YkBmT5rlOT4oB2V+LyATN49VRQMFLNyM8ObbOszKTFyWWd9qug/UZHBTH3R4o9Hj+rY6+KknLx84QqQFstlbqrocLkM7ecN8ku3xEZ5umPf8LdIgKT70tC6DLZeI6wLg0RY5MfXQs4tlFKE6Bjf3McypXAAvboQsd3uooSdsk3bYAYi4Qiwv0boTKPD7BMWI4fV4kpZfv0+f72C5VI1K8ArQXahOY0iDa/b64SyyPOcUfCfCEhVNcmDPbzXxhDYzb3H5hgBF2DfKbHgA7CLZbLXjVUE+le7djflF9nc/RvXCeGoWnt/wQPlg6PnptrRff8mxOYoJeKGb497KmXMuLXMQ6SoOUj2zXpfBXtRDeoep2QU6M/2Aj5C9Sf5zEqJuCGXmmOrmUCL63XzC2vIgs5BH4nsSP1Av06tZ2l6zm8UTxl49/hTxUYCC9QWrPhl2ZSD2M4q20X
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_10FD0894-62FE-9E44-975C-013EDA16B94D_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 408ba26b-2464-429e-0365-08dd31a92d04
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jan 2025 19:01:23.0419 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1644
X-Proofpoint-GUID: uLTVyaDu2gAourlSmQkZAHY-pLSKSfaS
X-Proofpoint-ORIG-GUID: uLTVyaDu2gAourlSmQkZAHY-pLSKSfaS
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-10_08,2025-01-10_03,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 bulkscore=0 adultscore=0 phishscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2411120000 definitions=main-2501100146
Message-ID-Hash: RKVKTBJTWMP3P7IPKIBVPLPO6W5DISOW
X-Message-ID-Hash: RKVKTBJTWMP3P7IPKIBVPLPO6W5DISOW
X-MailFrom: prvs=51050e534f=uri@ll.mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] Re: [EXT] Re: WG Last Call for draft-ietf-lamps-kyber-certificates-07
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/AKmYVoDAgi_IbVXIOIYD95eBp3I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

Thanks to Dan for pointing at that mailing list thread. 

Here’s what Yunlei said on May 12, 2022: 

Finally, we would like to stress again we hold all the patents only for protection against credit (not for economic reasons). We hope the above clarifications could make the situation clearer.

All my best 
Yunlei 

Thanks! 
-- 
V/R, 

Uri 

From: D. J. Bernstein <djb@cr.yp.to>
Date: Friday, January 10, 2025 at 13:51
To: spasm@ietf.org <spasm@ietf.org>
Subject: [EXT] [lamps] Re: WG Last Call for draft-ietf-lamps-kyber-certificates-07 

!-------------------------------------------------------------------|
This Message Is From an External Sender
This message came from outside the Laboratory.
|-------------------------------------------------------------------!

I see two BCP 79 compliance problems in this draft. The same comments
apply to draft-ietf-lamps-cms-kyber-08.


1. As background, there are known patent claims regarding Kyber. NIST
has reportedly signed patent licenses regarding patents US9094189
(Gaborit and Aguilar-Melchor) and US9246675 (Ding). However, another
patent holder wrote in

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4cDfsx65s/m/F63mixuWBAAJ <https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4cDfsx65s/m/F63mixuWBAAJ>

that "Kyber is covered by our patents" including "the two patents
mentioned in the KCL proposal". I've seen no evidence of a royalty-free
license for those patents, such as CN107566121A (which was filed a month
before the publication of "NewHope without reconciliation", Kyber's
direct predecessor).

Even for the GAM and Ding patents, the complete signed licenses don't
appear to be available to the public. The posting

https://web.archive.org/web/20221130033932/https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf <https://web.archive.org/web/20221130033932/https:/csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf>

says that it contains "relevant language (with modifications for
readability)" from the licenses; this provides no guarantees of
completeness and accuracy.

Furthermore, what has been posted (see previous link) appears to
indicate that the US9246675 license excludes "any modification,
extension, or derivation of the parameters of the PQC ALGORITHM".


2. BCP 79 says the following: "An IETF consensus has developed that no
mandatory-to-implement security technology can be specified in an IETF
specification unless it has no known IPR claims against it or a
royalty-free license is available to implementers of the specification."

One can't implement draft-ietf-lamps-kyber-certificates-07 without
implementing Kyber. The Zhao claim that "Kyber is covered by our
patents" is a known IPR claim regarding Kyber. Consequently, before
becoming an IETF RFC, the draft should be modified to allow alternatives
to Kyber.

The only other approach would be for the draft to invoke the exception
procedure from BCP 79: "It is possible to specify such a technology in
violation of this principle if there is a very good reason to do so and
if that reason is documented and agreed to through IETF consensus." I
haven't seen IETF-wide notification of a proposal to violate this BCP 79
principle, and I'm also not aware of a good reason to do so, let alone a
"very good reason". There are patent claims regarding Kyber, so any IETF
specification using Kyber should also include alternatives.


3. BCP 79 also says the following: "The IETF must have change control
over the technology described in any Standards Track IETF Documents in
order to fix problems that may be discovered or to produce other
derivative works."

BCP 79 goes on to say that it isn't prohibiting proprietary cryptography
but requires negotiations with the patent holders to ensure change
control:

In some cases, the developer of patented or otherwise controlled
technology may decide to hand over to the IETF the right to evolve
the technology (a.k.a., "change control"). The implementation of an
agreement between the IETF and the developer of the technology can be
complex. (See [RFC1790] and [RFC2339] for examples.)

Note that there is no inherent prohibition against a Standards Track
IETF Document making a normative reference to proprietary technology.
For example, a number of IETF standards support proprietary
cryptographic transforms.

The change-control rule per se has no exceptions. In the absence of
change control, a draft cannot go on the standards track.

Even if we assume that

https://web.archive.org/web/20221130033932/https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf <https://web.archive.org/web/20221130033932/https:/csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf>

accurately reflects the actual signed licenses, it doesn't assign Kyber
change control from the US9246675 patent holder to IETF. Modifications
to produce derivative works, for example to fix problems that may be
discovered, wouldn't be allowed. The patent holder would be free to
charge IETF arbitrary amounts to allow such modifications. This is the
type of trap that the change-control requirement is designed to avoid.


---D. J. Bernstein

_______________________________________________
Spasm mailing list -- spasm@ietf.org
To unsubscribe send an email to spasm-leave@ietf.org

v2.40.4 | Report a Bug | By Email | System Status