IETF Logo Mail Archive

Re: [lamps] PQ-composite OR or K-of-N logic

Michael Jenkins <m.jenkins.364706@gmail.com> Wed, 04 May 2022 11:12 UTC

Return-Path: <m.jenkins.364706@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A119C159491 for <spasm@ietfa.amsl.com>; Wed, 4 May 2022 04:12:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buiOp8WUCxQK for <spasm@ietfa.amsl.com>; Wed, 4 May 2022 04:12:22 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D54C8C157B55 for <spasm@ietf.org>; Wed, 4 May 2022 04:12:21 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id s27so1232989ljd.2 for <spasm@ietf.org>; Wed, 04 May 2022 04:12:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l/vOkzWceonJdnrB29fImxcwFH+CRbAVYJoyu4EryBw=; b=Td/MmPRUb0SeJx7Piz2L59cHxbtlOL6wXt+wvtRHfbi12RMLJR6sPfiyQisj71mUBO LIYGkUY9qdwsb5+t8Cl+uxZqCsGgFBILkCe+ZGBKjBfRddEoTrbL11YoKyWy8ld0iKZY XsyDH0yalsmWZaEE19a3JMWFdXZe4dlFJrtlNY22mmEy3A4dVeLY5x4zq79nRJcpp1vE 1y8JXtYeFxqHMvbt84ejyCjcqhy+xYq8+gQ4BJkpPLJL0YJ02W2JsnRPQsPJ1jik3e6F 1ZgmfL8iwxsvaVF1LU4VqB1Gfd7w6KD8w1VRvUE2kCDLJKEUEKBnRmNsojFnZY/Z4WUu iM2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l/vOkzWceonJdnrB29fImxcwFH+CRbAVYJoyu4EryBw=; b=hUhzMKMu8gs9tDCKsjr6ervOwiSh1g6bD16aH5gl3LlJxDc1bFCDshBKW109/xlkdi qZJFtmaCk5FAQ3tazodTDKNhhJGG6WX/zdpGQY38iJTWKxmXKpJwWqFusM3rJ14K/hQ8 zfR6ZYrqhlAwX9HkZSlC8j3stQwA1nItrFAZ+TEygEe+NKyyKq+o1T832M+pRNhYT7mB 9l4ackh5ypbv/MT8zBdXbWdEUk+QfbTaJg2bfnaASav+/IYmPTknCt+JxsKCiGxfQQT9 d4ytm2fHYtGfT3GtWb3eud7WvCSU04V4ObPOqpYKLp4X/b68Ov0wxJxeM5q//oe2mtTt wKTQ==
X-Gm-Message-State: AOAM5330kYn7Ueor+ijt6jMY9YaQoULpEUML/A3B2MpnaxxI9DmsooOO ASFftxLLLJCNLqzQWjfw8hHIddsEhBFgv+Y8cwI=
X-Google-Smtp-Source: ABdhPJwxUekUXeDMeXsNXhDlTpUtI8pEv/jUy0vQIX/8c+IozDBKbJtuVRWvKN/g9qrLPQ2CMdtnJYu/ik0D8lIDpMQ=
X-Received: by 2002:a05:651c:1710:b0:24f:d1a:9281 with SMTP id be16-20020a05651c171000b0024f0d1a9281mr12210683ljb.58.1651662739454; Wed, 04 May 2022 04:12:19 -0700 (PDT)
MIME-Version: 1.0
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <1312273.1650733310@dooku> <ca18a6bf6cb74756ac942fb514c82d78@d-trust.net> <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com> <6cff3100963349cb8399bbe853e2186f@EX13D01ANC003.ant.amazon.com> <b955611d3638496f974e3b8c42fc7897@d-trust.net>
In-Reply-To: <b955611d3638496f974e3b8c42fc7897@d-trust.net>
From: Michael Jenkins <m.jenkins.364706@gmail.com>
Date: Wed, 04 May 2022 07:12:09 -0400
Message-ID: <CAC2=hnf1Gu_reW0rvT9K5FTVnNCGCry_GiswLci7O4cvwmjRrg@mail.gmail.com>
To: "Klaußner, Jan" <Jan.Klaussner@d-trust.net>
Cc: LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dfbed205de2db2fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/CZT2TkPkqMPXVi34-vA3G4p_ywU>
Subject: Re: [lamps] PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2022 11:12:26 -0000

I don't think this is quite correct. Non-repudiation is a legal concept.
Content commitment is for a business purpose, and would also be a legal
concept. The level of confidence required would not be determined by the
signer unilaterally and arbitrarily, but by some community responsible for
determining what suffices for evidence. This might not be one algorithm
combination, it might be one that can be selected from. But in this case,
the indication of how to verify a signature on the object would be carried
with the object, not the key. Each key should carry what mathematical
algorithm it is appropriate for - that's important for security - but the
signing scheme goes with the object signed.

Mike Jenkins
NSA-Center for Cybersecurity Standards

On Wed, May 4, 2022 at 5:37 AM Klaußner, Jan <Jan.Klaussner@d-trust.net>
wrote:

> Hi Panos,
>
> as I stated in another post in this thread, in the non-repudiation or
> content commitment use case the signer must hint how the verification
> should be done in order to be held accountable.
>
> > -----Ursprüngliche Nachricht-----
> > Von: Kampanakis, Panos <kpanos@amazon.com>
> > Gesendet: Mittwoch, 27. April 2022 16:13
> > An: Russ Housley <housley@vigilsec.com>; Klaußner, Jan <Jan.Klaussner@d-
> > trust.net>
> > Cc: LAMPS <spasm@ietf.org>
> > Betreff: RE: [lamps] PQ-composite OR or K-of-N logic
> >
> > +1 to Russ' point about RFC4998.
> >
> > And to reiterate:
> >
> > > There would be an immediate need to reconfigure or update
> > verifier/signing software not to use this algorithm anymore, but there is
> > some more time to replace the algorithm in the PKI.
> > > The k-of-n mode here is providing this agility and also the increased
> > security of the AND mode, simply put.
> >
> > That does not need the signer to define the k-of-n logic. The signer
> will just
> > create n signatures and put them in a composite one. The verifier will
> verify
> > k-of-n and pass verification. No need for upgrades. And no need for the
> > AND, OR, K-OF-N logic to be added in the composite signature or public
> key
> > to complicate things.
> >
> >
> >
> > -----Original Message-----
> > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> > Sent: Wednesday, April 27, 2022 9:44 AM
> > To: "Klaußner, Jan" <Jan.Klaussner@d-trust.net>
> > Cc: LAMPS <spasm@ietf.org>
> > Subject: RE: [EXTERNAL][lamps] PQ-composite OR or K-of-N logic
> >
> > CAUTION: This email originated from outside of the organization. Do not
> click
> > links or open attachments unless you can confirm the sender and know the
> > content is safe.
> >
> >
> >
> > Jan:
> >
> > A notary is often used when a signature needs to be verifiable for many
> > decades. RFC 4998 specifies the Evidence Record Syntax (ERS), which can
> be
> > used to apply additional signatures by a notary.
> >
> > Russ
> >
> > > On Apr 27, 2022, at 4:36 AM, Klaußner, Jan <Jan.Klaussner@d-trust.net>
> > wrote:
> > >
> > > Hi all,
> > >
> > > First I completely agree with Michaels view on verification policies.
> > > Especially in open PKIs that are not under control of one company
> > > there is a need to signal how verification should be done.
> > >
> > > On the question about use cases beside the PQ transition: We believe
> > > there is a high probability that new algorithms are successfully
> > > attacked during the next decades.
> > >
> > > Therefore we want establish some agility in an PKI to more easily
> > > switch algorithms without an immediate PKI rollover. In our case we
> > > are also talking about use cases for document signing or long term
> > > encryption, where digital signatures need to be valid for longer
> > > periods, sometimes up to 50 years.
> > >
> > > So in case one algorithm is broken, the documents still remain
> secure/valid.
> > > There would be an immediate need to reconfigure or update
> > > verifier/signing software not to use this algorithm anymore, but there
> > > is some more time to replace the algorithm in the PKI.
> > > Once again, this is even more important in an open PKI.
> > >
> > > The k-of-n mode here is providing this agility and also the increased
> > > security of the AND mode, simply put.
> > >
> > > I hope our point is now more clear to the group
> > >
> > > Br
> > > Jan
> > >> -----Ursprüngliche Nachricht-----
> > >> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Michael
> > Richardson
> > >> Gesendet: Samstag, 23. April 2022 19:02
> > >> An: LAMPS <spasm@ietf.org>
> > >> Betreff: Re: [lamps] PQ-composite OR or K-of-N logic
> > >>
> > >>
> > >> I read through the list and the slides.  I couldn't be at the meeting
> > >> on Wednesday as I was travelling.
> > >>
> > >> The document starts off with:
> > >> "Even after the migration period, it may be advantageous for an
> > >> entity's  cryptographic identity to be composed of multiple
> > >> public-key
> > > algorithms."
> > >>
> > >> Panos and a few others have complained that the document attempts to
> > >> have signers tell verifiers what to do, and this should really a
> > >> verifier
> > > policy.
> > >> Well, that would make a lot of sense for a CMS signature on your
> > >> Mortgage, or your MUA verifying my email.
> > >>
> > >> But, signers REGULARLY tell verifiers what they've done and how to
> > >> verify things, and that's in the context of Certificates.  We have
> > >> all these
> > > policy
> > >> OIDs, and CSPs, and Path Constraints, and ...  These are all signals
> > >> from
> > > the
> > >> signer to the verifier.  The verifier can, of course, have a policy
> > >> that
> > > says that
> > >> they ignore CSPs or Path Constraints, or...
> > >>
> > >> I guess that the k-of-n part was in the slides only, as it's not in
> > >> the
> > > document
> > >> that I could see.
> > >>
> > >> I go back to the text I quoted above, and thinking about k-of-n.
> > >> I'm thinking that if there are more uses for the Composite-Or and
> > >> Composite-AND structures than *just* PQ transition, that the ROI on
> > >> implementing them may be much higher.  And thus the likelyhood that
> > >> we'll discovery and fix bugs relating to the new constructs is much
> higher.
> > >>
> > >> I think that we can agree that the last thing we want is a widespread
> > >> bug
> > > in
> > >> validation, at the point where we find it critical to transition.
> > >>
> > >> ps: I giggled when I read ~~~ BEGIN EDNOTE 10~~~
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> --
> > >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software
> > Works
> > >> -= IPv6 IoT consulting =-
> > >>
> > >>
> > >
> > > _______________________________________________
> > > Spasm mailing list
> > > Spasm@ietf.org
> > > https://www.ietf.org/mailman/listinfo/spasm
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>


-- 
Mike Jenkins
mjjenki@cyber.nsa.gov <mjjenki@tycho.ncsc.mil>
443-598-7837

v2.23.0 | Report a Bug | By Email