Re: [lamps] LAMPS Re-charter
Jonathan Hammell <jfhamme.cccs@gmail.com> Fri, 26 March 2021 20:51 UTC
Return-Path: <jfhamme.cccs@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A0783A0EAE for <spasm@ietfa.amsl.com>; Fri, 26 Mar 2021 13:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TPCtC9Q5ahyi for <spasm@ietfa.amsl.com>; Fri, 26 Mar 2021 13:51:37 -0700 (PDT)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5693A3A0E79 for <spasm@ietf.org>; Fri, 26 Mar 2021 13:51:37 -0700 (PDT)
Received: by mail-oi1-x230.google.com with SMTP id c16so6988689oib.3 for <spasm@ietf.org>; Fri, 26 Mar 2021 13:51:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YzUFCB6Vt1WXWkx4qZKR2E9JTo/cDmyoCPjnuw3Tf3I=; b=aGazW/hAyUJGPAzP8oBH6m0PnH/3ZX2eL8xbTCBvOh6fVU1q/Nf6NV7orS5P08z69/ /6q04WVolS/+INJMr10zBxsB2AKP5P8RW+9xmos5jexsYxxkTFN+H84wAj0VcHDP9iTj 6liShu8jQZoYVixZ2MfI0KiU4Rh2tlCWPX/eTgsg9Gzw8NBhojdEmH2qCQMfROHUMl8w 5Urfyn9vC9Khj5c+S4N73RM8u1DLsV2pHN2LJzmoBAPFQxh/svbhHSnp7OeZrApfx/XJ D3Z/HzKTd0YCWSUDlpyswCx0ncL9nZs8Fwy6fuEIb1JMJkrk3+aOz51a2wBUmTRD3RHa pqeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YzUFCB6Vt1WXWkx4qZKR2E9JTo/cDmyoCPjnuw3Tf3I=; b=WLQsRi9kgrq51NlTkYYlDiUmvhTW9iJi3LPEpfzJkYYQKGEOPZqPZnnGy4KP70tEck MQrChMVHY+EjNR856hAjK6rLM+exJboX6OYqX4oqcFr9CKnkQ7v4PLulpSTRA0+mKrNd 01xDKGNkUzWuXtoL6VSkW01WVol+8qqlXddBhgOIpR1mKDYRD2eoP26z4JWcAAs+Yz7a 9RGqlrVs6VOa6SNlS/GVEP9/rXzeNtjkELwXeCywq2jH5dNJDWfQfPl+jR+EAhtlcbKn GfSgdN+xlw38LQSxKDObnOCPQ/D3eFm2BsJRIGgKzuhkMDFKpPjlsI+G78kESKPw8HtG 8O4w==
X-Gm-Message-State: AOAM530FC0KmETCAVXbGY7cjPFHAZ6cig47dIrjmtqNMcu7SRRHyAPjK KIFPJYtjRlcvBZwZNEHFtcL+egUFXxzTvqvUZKuIFweQGkY=
X-Google-Smtp-Source: ABdhPJz4/AZPmvQeQeyjNdn+1W7MHVUTDdIdxqdfb6J/yqAhFEBphM1Kr/1sXs0MKHuc2ka9PjmKtZeRScZAvYZbLkc=
X-Received: by 2002:aca:cf44:: with SMTP id f65mr2807336oig.13.1616791895847; Fri, 26 Mar 2021 13:51:35 -0700 (PDT)
MIME-Version: 1.0
References: <5A22DF7B-BCA5-42F6-BB95-D4F70FDB1996@vigilsec.com> <951CAF0F-7461-4057-B95E-D1F6CAE61D02@vigilsec.com> <4c18a9982cc94df2952d7b2cbae89d99@cert.org> <7B82765F-9C7A-4C4D-B115-A2835B44E6D6@vigilsec.com> <b3fdb1ac051b4ae0ad748782daebead2@cert.org> <ACE141CD-B0B7-45D3-B54F-BE25275A0D25@vigilsec.com> <CALhKWgjB_RVGaQriPbero6eWTdaD4JaVqmHLjHHsqsjrBHUrFA@mail.gmail.com> <EF24C291-BE2D-40A6-8916-84F62DA78559@vigilsec.com>
In-Reply-To: <EF24C291-BE2D-40A6-8916-84F62DA78559@vigilsec.com>
From: Jonathan Hammell <jfhamme.cccs@gmail.com>
Date: Fri, 26 Mar 2021 16:51:19 -0400
Message-ID: <CALhKWgj3bYCoY5HHOdJz2=TOniWXucLCBVSJSDUJL7Gc8wKbmg@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a0b70b05be76b2bf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Bra7cciM_3Vuxwj4XYM-q52AyYc>
Subject: Re: [lamps] LAMPS Re-charter
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 20:51:49 -0000
Thanks Russ. Yes, that is more clear for me. I agree with this updated charter text. Jonathan On Fri., Mar. 26, 2021, 10:00 a.m. Russ Housley, <housley@vigilsec.com> wrote: > Jonathan, we could say "enrollment and operational practices" for greater > clarity. > > Russ > > > On Mar 26, 2021, at 9:44 AM, Jonathan Hammell <jfhamme.cccs@gmail.com> > wrote: > > > > I'm in favour of LAMPS working on the PQC items described in 5.*. > > > > Will the changes to PKIX certificates to support hybrid key > > establishment (5.b.i) and dual signatures (5.b.ii) also require > > modifications to CMP or CMC/EST to support requesting such > > certificates from CAs? The text in 5.b.i and 5.b.ii includes that > > LAMPS will specify "operational practices" to support hybrid/dual. Is > > that text intended to cover those aspects? > > > > Jonathan > > > > On Wed, Mar 17, 2021 at 6:26 PM Russ Housley <housley@vigilsec.com> > wrote: > >> > >> After listening to the LAMPS re-charter comments, I think this captures > a way forward. The PQC milestones do not have a "send to the IESG" part. > The idea is that we would add those when NIST winners get announced. > >> > >> Thoughts? > >> > >> Russ > >> > >> = = = = = = = = = > >> > >> The PKIX and S/MIME Working Groups have been closed for some time. Some > >> updates have been proposed to the X.509 certificate documents produced > >> by the PKIX Working Group and the electronic mail security documents > >> produced by the S/MIME Working Group. > >> > >> The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working > >> Group is chartered to make updates where there is a known constituency > >> interested in real deployment and there is at least one sufficiently > >> well specified approach to the update so that the working group can > >> sensibly evaluate whether to adopt a proposal. > >> > >> The LAMPS WG is now tackling these topics: > >> > >> 1. Specify the use of short-lived X.509 certificates for which no > >> revocation information is made available by the Certification Authority. > >> Short-lived certificates have a lifespan that is shorter than the time > >> needed to detect, report, and distribute revocation information. As a > >> result, revoking short-lived certificates is unnecessary and pointless. > >> > >> 2. Update the specification for the cryptographic protection of email > >> headers -- both for signatures and encryption -- to improve the > >> implementation situation with respect to privacy, security, usability > >> and interoperability in cryptographically-protected electronic mail. > >> Most current implementations of cryptographically-protected electronic > >> mail protect only the body of the message, which leaves significant > >> room for attacks against otherwise-protected messages. > >> > >> 3. The Certificate Management Protocol (CMP) is specified in RFC 4210, > >> and it offers a vast range of certificate management options. CMP is > >> currently being used in many different industrial environments, but it > >> needs to be tailored to the specific needs of such machine-to-machine > >> scenarios and communication among PKI management entities. The LAMPS > >> WG will develop a "lightweight" profile of CMP to more efficiently > >> support of these environments and better facilitate interoperable > >> implementation, while preserving cryptographic algorithm agility. In > >> addition, necessary updates and clarifications to CMP will be > >> specified in a separate document. This work will be coordinated with > >> the LWIG WG. > >> > >> 4. Provide concrete guidance for implementers of email user agents > >> to promote interoperability of end-to-end cryptographic protection > >> of email messages. This may include guidance about the generation, > >> interpretation, and handling of protected messages; management of the > >> relevant certificates; documentation of how to avoid common failure > >> modes; strategies for deployment in a mixed environment; as well as > >> test vectors and examples that can be used by implementers and > >> interoperability testing. The resulting robust consensus among email > >> user agent implementers is expected to provide more usable and useful > >> cryptographic security for email users. > >> > >> 5. Recent progress in the development of quantum computers pose a threat > >> to widely deployed public key algorithms. As a result, there is a need > >> to prepare for a day when cryptosystems such as RSA, Diffie-Hellman, > >> ECDSA, ECDH, and EdDSA cannot be depended upon in the PKIX and S/MIME > >> protocols. > >> > >> 5.a. NIST has a Post-Quantum Cryptography (PQC) effort to produce one > >> or more quantum-resistant public-key cryptographic algorithm standards. > >> The LAMPS WG will specify the use of these new PQC public key algorithms > >> with the PKIX certificates and the Cryptographic Message Syntax (CMS). > >> These specifications will use object identifiers for the new algorithms > >> that are assigned by NIST. > >> > >> 5.b. NIST and other organizations are developing standards for > >> post-quantum cryptographic (PQC) algorithms that that will be secure > >> even if large-scale quantum computers are ever developed. However, a > >> lengthy transition from today's public key algorithms to PQC public key > >> algorithms is expected; time will be needed to gain full confidence in > >> the new PQC public key algorithms. > >> > >> 5.b.i. The LAMPS WG will specify formats, identifiers, and operational > >> practices for "hybrid key establishment" that combines the shared > >> secret values one or more traditional key-establishment algorithm and > >> one or more NIST PQC key-establishment algorithm or a PQC > >> key-establishment algorithm vetted by the CFRG. The shared secret > >> values will be combined using HKDF (see RFC 5869) or a key derivation > >> function vetted by the CFRG. > >> > >> 5.b.ii. The LAMPS WG will specify formats, identifiers, and operational > >> practices for "dual signature" that combine one or more traditional > >> signature algorithm with one or more NIST PQC signature algorithm or > >> a PQC algorithm vetted by the CFRG. > >> > >> In addition, the LAMPS WG may investigate other updates to documents > >> produced by the PKIX and S/MIME WG. The LAMPS WG may produce > >> clarifications where needed, but the LAMPS WG shall not adopt > >> anything beyond clarifications without rechartering. > >> > >> MILESTONES > >> > >> Task 1: > >> Jul 2021 Adopt a draft for short-lived certificate conventions > >> Mar 2022 Short-lived certificate conventions sent to IESG for BCP > publication > >> > >> Task 2: > >> DONE Adopt a draft for header protection conventions > >> Nov 2021 Header protection conventions sent to IESG for standards track > publication > >> > >> Task 3: > >> DONE Adopt a draft for CMP updates > >> DONE Adopt a draft for CMP algorithm > >> DONE Adopt a draft for Lightweight CMP profile > >> Dec 2021 CMP updates sent to IESG for standards track publication > >> Dec 2021 CMP algorithms sent to IESG for standards track publication > >> Dec 2021 Lightweight CMP profile sent to IESG for informational > publication > >> > >> Task 4: > >> May 2021 Adopt a draft for end-to-end email user agent guidance > >> Jul 2022 End-to-end email user agent guidance sent to IESG for > informational publication > >> > >> Task 5.a: > >> Aug 2021 Adopt draft for PQC KEM public keys in PKIX certificates > >> Aug 2021 Adopt draft for PQC KEM algorithms in CMS > >> Sep 2021 Adopt draft for PQC signatures in PKIX certificates > >> Sep 2021 Adopt draft for PQC signatures in CMS > >> > >> Task 5.b.i: > >> Sep 2021 Adopt draft for public keys for hybrid key establishment in > PKIX certificates > >> Sep 2021 Adopt draft for hybrid key establishment in CMS > >> > >> Task 5.b.ii: > >> Sep 2021 Adopt draft for dual signatures in PKIX certificates > >> Sep 2021 Adopt draft for dual signature in CMS > >> > >> _______________________________________________ > >> Spasm mailing list > >> Spasm@ietf.org > >> https://www.ietf.org/mailman/listinfo/spasm > >
- Re: [lamps] LAMPS Re-charter Russ Housley
- Re: [lamps] LAMPS Re-charter Salz, Rich
- Re: [lamps] LAMPS Re-charter Mike Ounsworth
- Re: [lamps] LAMPS Re-charter Russ Housley
- Re: [lamps] LAMPS Re-charter Russ Housley
- Re: [lamps] LAMPS Re-charter Rene Struik
- Re: [lamps] LAMPS Re-charter Russ Housley
- Re: [lamps] LAMPS Re-charter Rene Struik
- Re: [lamps] LAMPS Re-charter Russ Housley
- Re: [lamps] [EXTERNAL] Re: LAMPS Re-charter Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: LAMPS Re-charter Daniel Kahn Gillmor
- Re: [lamps] [EXTERNAL] Re: LAMPS Re-charter Michael Richardson
- Re: [lamps] [EXTERNAL] Re: LAMPS Re-charter Daniel Kahn Gillmor
- Re: [lamps] [EXTERNAL] Re: LAMPS Re-charter Michael Richardson
- Re: [lamps] [EXTERNAL] Re: LAMPS Re-charter Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: LAMPS Re-charter Carl Wallace
- Re: [lamps] LAMPS Re-charter Jonathan Hammell
- Re: [lamps] LAMPS Re-charter Russ Housley
- Re: [lamps] LAMPS Re-charter Russ Housley
- Re: [lamps] LAMPS Re-charter Jonathan Hammell
- Re: [lamps] LAMPS Re-charter Russ Housley
- Re: [lamps] LAMPS Re-charter Roman Danyliw