IETF Logo Mail Archive

Re: [lamps] LAMPS Re-charter

Russ Housley <housley@vigilsec.com> Mon, 22 March 2021 16:17 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11F1F3A0BED for <spasm@ietfa.amsl.com>; Mon, 22 Mar 2021 09:17:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.004
X-Spam-Level:
X-Spam-Status: No, score=0.004 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fIa9r4z3c89l for <spasm@ietfa.amsl.com>; Mon, 22 Mar 2021 09:17:40 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 657473A0BEC for <spasm@ietf.org>; Mon, 22 Mar 2021 09:17:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id A3EF4300B5A for <spasm@ietf.org>; Mon, 22 Mar 2021 12:17:37 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id SOiaX7ZdxK2Z for <spasm@ietf.org>; Mon, 22 Mar 2021 12:17:33 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 8DE23300261; Mon, 22 Mar 2021 12:17:33 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <EC04667D-6426-4942-81E8-D0EEDCBFA359@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_728309E8-8E3A-4FC5-ADF3-D0622BDB8253"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Mon, 22 Mar 2021 12:17:33 -0400
In-Reply-To: <29f2b6c9-d7fe-0aa5-4509-d10279a2d902@gmail.com>
Cc: LAMPS <spasm@ietf.org>
To: Rene Struik <rstruik.ext@gmail.com>
References: <5A22DF7B-BCA5-42F6-BB95-D4F70FDB1996@vigilsec.com> <951CAF0F-7461-4057-B95E-D1F6CAE61D02@vigilsec.com> <4c18a9982cc94df2952d7b2cbae89d99@cert.org> <7B82765F-9C7A-4C4D-B115-A2835B44E6D6@vigilsec.com> <b3fdb1ac051b4ae0ad748782daebead2@cert.org> <ACE141CD-B0B7-45D3-B54F-BE25275A0D25@vigilsec.com> <29f2b6c9-d7fe-0aa5-4509-d10279a2d902@gmail.com>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/BbpSBLPA8Ew97Z1a6C4xg6-xWaQ>
Subject: Re: [lamps] LAMPS Re-charter
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2021 16:17:45 -0000

Rene:

Comments below.  I dropped the milestone proposals since you did not comment on them.

> On 2021-03-17 6:26 p.m., Russ Housley wrote:
>> After listening to the LAMPS re-charter comments, I think this captures a way forward.  The PQC milestones do not have a "send to the IESG" part.  The idea is that we would add those when NIST winners get announced.
>> 
>> Thoughts?
>> 
>> Russ
>> 
>> = = = = = = = = =
>> 
>> The PKIX and S/MIME Working Groups have been closed for some time. Some
>> updates have been proposed to the X.509 certificate documents produced 
>> by the PKIX Working Group and the electronic mail security documents 
>> produced by the S/MIME Working Group.
>> 
>> The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working 
>> Group is chartered to make updates where there is a known constituency 
>> interested in real deployment and there is at least one sufficiently 
>> well specified approach to the update so that the working group can 
>> sensibly evaluate whether to adopt a proposal.
>> 
>> The LAMPS WG is now tackling these topics:
>> 
>> 1. Specify the use of short-lived X.509 certificates for which no
>> revocation information is made available by the Certification Authority.
>> Short-lived certificates have a lifespan that is shorter than the time
>> needed to detect, report, and distribute revocation information.  As a
>> result, revoking short-lived certificates is unnecessary and pointless.
>> 
>> 2. Update the specification for the cryptographic protection of email
>> headers -- both for signatures and encryption -- to improve the
>> implementation situation with respect to privacy, security, usability
>> and interoperability in cryptographically-protected electronic mail.
>> Most current implementations of cryptographically-protected electronic
>> mail protect only the body of the message, which leaves significant 
>> room for attacks against otherwise-protected messages.
>> 
>> 3. The Certificate Management Protocol (CMP) is specified in RFC 4210, 
>> and it offers a vast range of certificate management options.  CMP is 
>> currently being used in many different industrial environments, but it 
>> needs to be tailored to the specific needs of such machine-to-machine 
>> scenarios and communication among PKI management entities.  The LAMPS 
>> WG will develop a "lightweight" profile of CMP to more efficiently 
>> support of these environments and better facilitate interoperable 
>> implementation, while preserving cryptographic algorithm agility.  In 
>> addition, necessary updates and clarifications to CMP will be 
>> specified in a separate document.  This work will be coordinated with 
>> the LWIG WG.
>> 
>> 4. Provide concrete guidance for implementers of email user agents
>> to promote interoperability of end-to-end cryptographic protection
>> of email messages.  This may include guidance about the generation,
>> interpretation, and handling of protected messages; management of the
>> relevant certificates; documentation of how to avoid common failure
>> modes; strategies for deployment in a mixed environment; as well as
>> test vectors and examples that can be used by implementers and
>> interoperability testing.  The resulting robust consensus among email
>> user agent implementers is expected to provide more usable and useful
>> cryptographic security for email users.
>> 
>> 5. Recent progress in the development of quantum computers pose a threat
>> to widely deployed public key algorithms.  As a result, there is a need
>> to prepare for a day when cryptosystems such as RSA, Diffie-Hellman,
>> ECDSA, ECDH, and EdDSA cannot be depended upon in the PKIX and S/MIME
>> protocols.
> RS>> (E) In the first sentence, I suggest to change the wording "pose" to "may pose" to better reflect the current state (this does not change the intent of this work item otherwise). In the second sentence, I suggest to change "cryptosystems" to "public key algorithms", so as to align with verbiage in 5b below. <<RS

These make sense to me.  Symmetric ciphers and hash functions are not concerns here.

>> 
>> 5.a. NIST has a Post-Quantum Cryptography (PQC) effort to produce one
>> or more quantum-resistant public-key cryptographic algorithm standards.
>> The LAMPS WG will specify the use of these new PQC public key algorithms
>> with the PKIX certificates and the Cryptographic Message Syntax (CMS).
>> These specifications will use object identifiers for the new algorithms
>> that are assigned by NIST.
>> 
>> 5.b. NIST and other organizations are developing standards for
>> post-quantum cryptographic (PQC) algorithms that that will be secure
>> even if large-scale quantum computers are ever developed.  However, a
>> lengthy transition from today's public key algorithms to PQC public key
>> algorithms is expected; time will be needed to gain full confidence in
>> the new PQC public key algorithms.
>> 
>> 5.b.i. The LAMPS WG will specify formats, identifiers, and operational
>> practices for "hybrid key establishment" that combines the shared
>> secret values one or more traditional key-establishment algorithm and
>> one or more NIST PQC key-establishment algorithm or a PQC
>> key-establishment algorithm vetted by the CFRG.  The shared secret
>> values will be combined using HKDF (see RFC 5869) or a key derivation
>> function vetted by the CFRG.
> RS>> (discussion) In hybrid key establishment scenarios, it is quite likely that for a long time one of the parties may be able to compute only one of the shared keys used as input to the key derivation function, (e.g., k:=kdf(K1, K2), where K1 is ECDH that both devices implemen and where K2 is another algorithm [PQC or not]). In this case, one should define default drop-in values for K2, so that authenticated key agreement does not fail automatically. I am not sure how to exactly word this in charter text, but think this is not just an operational practice (since changes calculation of values involved in the hybrid scheme). While the primary focus should be on PQC, essentially this is about crypto agility (PQC or not), where one wants to have the cryptographic assurances a nonempty set of algorithms can provide. <<RS 
> 
I do not agree with this characterization.  If one of the parties cannot use the PQC key-establishment algorithm, then they are not using a hybrid.  In this case, the party that is capable of using the PQC key-establishment algorithm will have to settle for a traditional only mechanism, or refuse the connection.

During the LAMPS WG interim session, Max Pala talked about the possibility of certificates that contained public keys for traditional and PQC algorithms.  Since that session, draft-ounsworth-pq-composite-sigs has been revised to capture some suggestions for signature algorithms.  Something like this will be needed for key-establishment algorithms as well.

> RS>> (discussion) The current text seems to rule out use of, e.g., KMAC. Shouldn't one be somewhat more flexible with where one draws kdfs from (and doesn't one expect too much of cfrg)? <<RS
> 
The LAMPS WG does not have many cryptographers in the group.  We do have a few, but not as many as CFRG, so we need to depend on the CFRG to get as many cryptographers involved as possible.

>> 
>> 5.b.ii. The LAMPS WG will specify formats, identifiers, and operational
>> practices for "dual signature" that combine one or more traditional
>> signature algorithm with one or more NIST PQC signature algorithm or
>> a PQC algorithm vetted by the CFRG.
>>  
>> In addition, the LAMPS WG may investigate other updates to documents
>> produced by the PKIX and S/MIME WG. The LAMPS WG may produce
>> clarifications where needed, but the LAMPS WG shall not adopt
>> anything beyond clarifications without rechartering.
> RS>> During IETF-110, it was suggested to issue a potential call for adoption for various drafts, where, e.g., https://datatracker.ietf.org/doc/draft-struik-lamps-verification-friendly-ecdsa/ <https://datatracker.ietf.org/doc/draft-struik-lamps-verification-friendly-ecdsa/> is hard to categorize as a clarification. Shouldn't we add another work item, so as to make sure this can be tackled? Or, should we simply scrap all but the first sentence of this paragraph (where the preamble of the recharter text already suggests a sufficiently high bar for taking this on, since it states "where there is a known constituency interested in real deployment and there is at least one sufficiently well specified approach to the update so that the working group can sensibly evaluate whether to adopt a proposal". <<RS
> 
Three options for a way forward were suggested.  I think the discussion of the options needs to continue.  Once a way forward is agreed, then we can recharter again if needed.

This part is unchanged from the current charter, and there was a fair amount of discussion about it previously.  I'd reather not reopen that discussion.

Russ

v2.23.0 | Report a Bug | By Email