Re: [lamps] Hybrid pkix isn't needed

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 30 January 2023 10:02 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3265AC151711 for <spasm@ietfa.amsl.com>; Mon, 30 Jan 2023 02:02:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7c-_F5bl6H4d for <spasm@ietfa.amsl.com>; Mon, 30 Jan 2023 02:02:36 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F2A4C14F72F for <spasm@ietf.org>; Mon, 30 Jan 2023 02:02:35 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id D324A13A36 for <spasm@ietf.org>; Mon, 30 Jan 2023 12:02:32 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id xokOfconwGvU for <spasm@ietf.org>; Mon, 30 Jan 2023 12:02:32 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id A9C862316 for <spasm@ietf.org>; Mon, 30 Jan 2023 12:02:31 +0200 (EET)
Date: Mon, 30 Jan 2023 12:02:31 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: spasm@ietf.org
Message-ID: <Y9eVt/hf8vlUPpkB@LK-Perkele-VII2.locald>
References: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com> <CAFTXyYBCZRgBpJ_j1AQSek7Dm7tjW3hAg8h06+hL4iXZ8iDbog@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAFTXyYBCZRgBpJ_j1AQSek7Dm7tjW3hAg8h06+hL4iXZ8iDbog@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/C6ZD6WTgQXfsJTa46ruLGUvEdQc>
Subject: Re: [lamps] Hybrid pkix isn't needed
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2023 10:02:38 -0000

On Mon, Jan 30, 2023 at 02:46:50PM +0900, Tadahiko Ito wrote:
> 2023年1月30日(月) 8:43 Watson Ladd <watsonbladd@gmail.com>:
> 
> >
> > I don't think linking certs or special provisions for hybrid
> > encryption or authentication are a good idea.  A hybrid encryption
> > scheme should be an encryption scheme with a public and private key,
> > just like any other key you can put in the PKIX.
> >
> > Authentication breaks are not retroactive:
> Could you clarify if signing purposes ( code-signing, and OCSP signing,
> time-stamping, etc.) is outside the scope of your comment or not.

Well, the comment said "encryption or authentication" (and also talked
about "ECDSA"), so presumably "authentication" mainly refers to signing.

And OCSP signing is very different from code-signing or time-stamping.


> I am not sure if we need bonded certs or hybrid cert for those use-cases,
> but it might be better to have some mechanisms for those use-cases.

Well, for code-signing or time-stamping, I don't think either of those
works very well:

- Bonded certs are extremely complicated.
- Hybrid certs need to be backward-compatible for depoloyment reasons,
  which requires very nasty hacks.

The simplest is probably multiple independent signatures, assuming
whatever system actually supports that.



-Ilari