IETF Logo Mail Archive

Re: [lamps] [EXTERNAL]Re: Call for Presentations at the LAMPS Interim Meeting on 28 Jan 2021

Russ Housley <housley@vigilsec.com> Wed, 13 January 2021 22:29 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 296033A1468 for <spasm@ietfa.amsl.com>; Wed, 13 Jan 2021 14:29:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t8EHpif_Kqgb for <spasm@ietfa.amsl.com>; Wed, 13 Jan 2021 14:29:41 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C091B3A1463 for <spasm@ietf.org>; Wed, 13 Jan 2021 14:29:41 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 30538300BC4 for <spasm@ietf.org>; Wed, 13 Jan 2021 17:29:39 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id fng7WPbJH9wR for <spasm@ietf.org>; Wed, 13 Jan 2021 17:29:37 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 12B44300AFC; Wed, 13 Jan 2021 17:29:36 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <DM6PR11MB4380C66B31D31C4B13912D859FA90@DM6PR11MB4380.namprd11.prod.outlook.com>
Date: Wed, 13 Jan 2021 17:29:38 -0500
Cc: LAMPS <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9CE4E955-97C8-49C2-8FE2-375C576930B8@vigilsec.com>
References: <2C7FE71D-D3DA-49CF-B133-EAC979309951@vigilsec.com> <D95BD95A-ED8C-4275-AE4F-463A41A6C85C@vigilsec.com> <BN7PR11MB254730455D173EB9769B6632C9A90@BN7PR11MB2547.namprd11.prod.outlook.com> <6452.1610560502@localhost> <DM6PR11MB4380C66B31D31C4B13912D859FA90@DM6PR11MB4380.namprd11.prod.outlook.com>
To: "Mike Ounsworth (Mike.Ounsworth@entrustdatacard.com)" <Mike.Ounsworth@entrustdatacard.com>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/CcXYiDm3tFh4f5v74s9t9faH_eI>
Subject: Re: [lamps] [EXTERNAL]Re: Call for Presentations at the LAMPS Interim Meeting on 28 Jan 2021
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2021 22:29:45 -0000

Mike:

I do not see them as orthogonal.  If one uses the composite signature structure {RSA,PQ} on the wire, and the public keys are in separate certificates, I cannot see how the validation works out.  Maybe I am missing something.  Can you put together some sides for the Interim meeting on the 28th to explain more fully?

Russ


> On Jan 13, 2021, at 2:04 PM, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:
> 
> At the risk of over-complicating everything, we see the One-Cert vs Two-Cert discussion as in some senses orthogonal to our composite keys and signatures draft (draft-ounsworth-pq-composite-sigs).
> 
> I think that shoehorning this into a "one-cert vs two-cert" discussion is missing some of the potential value of the Composite proposal.
> 
> In writing the composite draft, we were careful to not make it a certificates draft, and instead stick strictly to public key, private key, and signature OIDs and ASN.1 encodings. At present, we are just looking at composite key and signature formats so that there is an obvious and standardized way to meet the NIST call for putting dual signatures on <thing>; whatever <thing> is.
> 
> For example, someone way want to combine both approaches and have a Two-Cert ecosystem where one of the certs is Composite:
> 
> Cert1: {RSA}
> Cert2: {RSA, PQ}
> 
> 
> Another example of them being orthogonal is a case where you have separate certificates {RSA}, {PQ}, but for protocol simplicity you want to use the composite signature structure {RSA,PQ} on the wire.
> 
> Our draft (draft-ounsworth-pq-composite-sigs) is really trying to be orthogonal from the One-Cert vs Two-Cert question.
> 
> ---
> Mike Ounsworth
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael Richardson
> Sent: January 13, 2021 11:55 AM
> To: LAMPS <spasm@ietf.org>
> Subject: [EXTERNAL]Re: [lamps] Call for Presentations at the LAMPS Interim Meeting on 28 Jan 2021
> 
> 
> Panos Kampanakis \(pkampana\) <pkampana=40cisco.com@dmarc.ietf.org> wrote:
>> I have been on both sides of the argument, Classical+PQ signatures or
>> parallel (classical, PQ). Recently I have been thinking that we probably
>> can't avoid keeping classical PKI for backwards compatibility which probably
>> makes the Classical+PQ sigs less appealing.
> 
> First, I think that we need better terms to explain the two options.
> Russ has used "One Certificate" and "Two Certificate".
> 
> I think that in the "One Certificate" case, that the PQC and traditional (He said "traditional", and Panos said "classical", btw) CA signers would sign both BQC and traditional keys.  Right?
> 
> 
>> Especially for live protocols
>> like TLS, this argument is even more relevant especially since the big cert
>> would be penalizing the classical peer with unnecessary PQ sig data.
> 
> It seems that for live protocols we can negotiate, and the server can send only what is needed, so there are really no byte-size issues.
> 
>> But I have heard some arguments for classical+PQ for non-TLS usecases. An
>> example could be SW Signing. I would argue that PKCS#7/CMS can include
>> multiple sigs (in SignerInfo) in the SignedData as clarified in RFC4853, so
>> even for SW Signing we may not need Composite or Hybrid Classical+PQ
>> Signatures.
> 
> That seems to be the parallel case, isn't it?
> 
> I have a different concern to ask as well:
>  Are hash-based signatures in the classical or PQC category?
> 
>> I gave this presentation at the NIST NCCoE Virtual Workshop on
>> Considerations in Migrating to Post-Quantum Cryptographic Algorithms:
>> https://www.nccoe.nist.gov/sites/default/files/10-Housley-NCCoE-Workshop-Tra
>> nsition-to-PQC-Certificates.pdf
> 
>> This short presentation still captures my view.  Are there people with a
>> different view that would like time on the agenda at the LAMPS Interim on 28
>> Jan?  I would like to make sure that all point of view are heard.
> 
> Russ' preference is for "Two Certificate" case.
> I think that it is equivalent to having RSA and ECDSA ecosystems alive, which I think we have managed reasonably well.
> So I don't think that I have a diverging view.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>           Sandelman Software Works Inc, Ottawa and Worldwide
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email