IETF Logo Mail Archive

Re: [lamps] PQ-composite OR or K-of-N logic

"Klaußner, Jan" <Jan.Klaussner@d-trust.net> Wed, 04 May 2022 11:18 UTC

Return-Path: <prvs=116eedc39=Jan.Klaussner@d-trust.net>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB760C159483 for <spasm@ietfa.amsl.com>; Wed, 4 May 2022 04:18:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oYebWc5mW1d5 for <spasm@ietfa.amsl.com>; Wed, 4 May 2022 04:18:21 -0700 (PDT)
Received: from mail-out.d-trust.net (mail-out.d-trust.net [213.61.227.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02672C157B5A for <spasm@ietf.org>; Wed, 4 May 2022 04:18:20 -0700 (PDT)
Received: from progov-n2.bln.d-trust.de (localhost [127.0.0.1]) by progov-n2.bln.d-trust.de (Postfix) with ESMTPS id D91F420F51C for <spasm@ietf.org>; Wed, 4 May 2022 13:18:17 +0200 (CEST)
Received: from dtr-xc-bp02.d-trust.de (lb-107.bln.d-trust.de [192.168.107.250]) by progov-n2.bln.d-trust.de (Postfix) with ESMTPS id D0AFE20F51B for <spasm@ietf.org>; Wed, 4 May 2022 13:18:17 +0200 (CEST)
From: "Klaußner, Jan" <Jan.Klaussner@d-trust.net>
To: LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] PQ-composite OR or K-of-N logic
Thread-Index: AdhV9Rf0dKtEp6K7TUGSt7lMX+2VvwBLfdcAAJLl7gAAL1mhAAFdw25g
Date: Wed, 04 May 2022 11:18:17 +0000
Message-ID: <1f7f7bfdacbc4185a30a9232851a954c@d-trust.net>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <1312273.1650733310@dooku> <ca18a6bf6cb74756ac942fb514c82d78@d-trust.net> <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com>
In-Reply-To: <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.16.171.199]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/BzLO0h7V8y2Ll897_hCjKIkedMc>
Subject: Re: [lamps] PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2022 11:18:25 -0000

Russ: 

Yes, a notary can be used. In reality that's mostly the case when something is very valuable or important so you want an additional neutral witness and safe repository. But as it comes not for free, I do not see how this could help for e.g. signatures you give in your normal life, e.g. to sign contracts, tax declaration etc. They also are legally valid for lifetime, so I think we need to have other mechanism to solve algorithm obsolescence.

> -----Ursprüngliche Nachricht-----
> Von: Russ Housley <housley@vigilsec.com>
> Gesendet: Mittwoch, 27. April 2022 15:44
> An: Klaußner, Jan <Jan.Klaussner@d-trust.net>
> Cc: LAMPS <spasm@ietf.org>
> Betreff: Re: [lamps] PQ-composite OR or K-of-N logic
> 
> Jan:
> 
> A notary is often used when a signature needs to be verifiable for many
> decades. RFC 4998 specifies the Evidence Record Syntax (ERS), which can be
> used to apply additional signatures by a notary.
> 
> Russ
> 
> > On Apr 27, 2022, at 4:36 AM, Klaußner, Jan <Jan.Klaussner@d-trust.net>
> wrote:
> >
> > Hi all,
> >
> > First I completely agree with Michaels view on verification policies.
> > Especially in open PKIs that are not under control of one company
> > there is a need to signal how verification should be done.
> >
> > On the question about use cases beside the PQ transition: We believe
> > there is a high probability that new algorithms are successfully
> > attacked during the next decades.
> >
> > Therefore we want establish some agility in an PKI to more easily
> > switch algorithms without an immediate PKI rollover. In our case we
> > are also talking about use cases for document signing or long term
> > encryption, where digital signatures need to be valid for longer
> > periods, sometimes up to 50 years.
> >
> > So in case one algorithm is broken, the documents still remain secure/valid.
> > There would be an immediate need to reconfigure or update
> > verifier/signing software not to use this algorithm anymore, but there
> > is some more time to replace the algorithm in the PKI.
> > Once again, this is even more important in an open PKI.
> >
> > The k-of-n mode here is providing this agility and also the increased
> > security of the AND mode, simply put.
> >
> > I hope our point is now more clear to the group
> >
> > Br
> > Jan
> >> -----Ursprüngliche Nachricht-----
> >> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Michael
> Richardson
> >> Gesendet: Samstag, 23. April 2022 19:02
> >> An: LAMPS <spasm@ietf.org>
> >> Betreff: Re: [lamps] PQ-composite OR or K-of-N logic
> >>
> >>
> >> I read through the list and the slides.  I couldn't be at the meeting
> >> on Wednesday as I was travelling.
> >>
> >> The document starts off with:
> >> "Even after the migration period, it may be advantageous for an
> >> entity's  cryptographic identity to be composed of multiple
> >> public-key
> > algorithms."
> >>
> >> Panos and a few others have complained that the document attempts to
> >> have signers tell verifiers what to do, and this should really a
> >> verifier
> > policy.
> >> Well, that would make a lot of sense for a CMS signature on your
> >> Mortgage, or your MUA verifying my email.
> >>
> >> But, signers REGULARLY tell verifiers what they've done and how to
> >> verify things, and that's in the context of Certificates.  We have
> >> all these
> > policy
> >> OIDs, and CSPs, and Path Constraints, and ...  These are all signals
> >> from
> > the
> >> signer to the verifier.  The verifier can, of course, have a policy
> >> that
> > says that
> >> they ignore CSPs or Path Constraints, or...
> >>
> >> I guess that the k-of-n part was in the slides only, as it's not in
> >> the
> > document
> >> that I could see.
> >>
> >> I go back to the text I quoted above, and thinking about k-of-n.
> >> I'm thinking that if there are more uses for the Composite-Or and
> >> Composite-AND structures than *just* PQ transition, that the ROI on
> >> implementing them may be much higher.  And thus the likelyhood that
> >> we'll discovery and fix bugs relating to the new constructs is much higher.
> >>
> >> I think that we can agree that the last thing we want is a widespread
> >> bug
> > in
> >> validation, at the point where we find it critical to transition.
> >>
> >> ps: I giggled when I read ~~~ BEGIN EDNOTE 10~~~
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software
> Works
> >> -= IPv6 IoT consulting =-
> >>
> >>
> >
> > _______________________________________________
> > Spasm mailing list
> > Spasm@ietf.org
> > https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email