IETF Logo Mail Archive

Re: [lamps] PQ-composite OR or K-of-N logic

"Kampanakis, Panos" <kpanos@amazon.com> Wed, 04 May 2022 13:48 UTC

Return-Path: <prvs=1168cbba3=kpanos@amazon.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B014CC14F744 for <spasm@ietfa.amsl.com>; Wed, 4 May 2022 06:48:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.171
X-Spam-Level:
X-Spam-Status: No, score=-10.171 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.575, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lXuRJFuGUvOQ for <spasm@ietfa.amsl.com>; Wed, 4 May 2022 06:48:40 -0700 (PDT)
Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E800AC14F73D for <spasm@ietf.org>; Wed, 4 May 2022 06:48:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1651672120; x=1683208120; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=JzQjEoQRN5Xo4kU+pL01J/vxNzmJxeoSzRFQjo6Nf8c=; b=HT/JHlEiyxWWsF9xaR7GyQ1JyiN4gPzSxlbBOU6s22Dox4ML8BYHkjtu eO7DdyuD4pdEDbYDbnQXCANy7xK1wpuKBikkMG72JU89AlBYk1DV2QZ3v DCEAe4JDUuurRZq2FblUoy/3zXLlF7oXMjeSVXtDmTCxmiy2OVL2MK3QI o=;
X-IronPort-AV: E=Sophos;i="5.91,198,1647302400"; d="scan'208";a="199943723"
Thread-Topic: [lamps] PQ-composite OR or K-of-N logic
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-iad-1e-90d70b14.us-east-1.amazon.com) ([10.43.8.6]) by smtp-border-fw-6001.iad6.amazon.com with ESMTP; 04 May 2022 13:48:27 +0000
Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1e-90d70b14.us-east-1.amazon.com (Postfix) with ESMTPS id 7AAD7C042F; Wed, 4 May 2022 13:48:27 +0000 (UTC)
Received: from EX13D01ANC003.ant.amazon.com (10.43.157.68) by EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Wed, 4 May 2022 13:48:26 +0000
Received: from EX13D01ANC003.ant.amazon.com (10.43.157.68) by EX13D01ANC003.ant.amazon.com (10.43.157.68) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Wed, 4 May 2022 13:48:19 +0000
Received: from EX13D01ANC003.ant.amazon.com ([10.43.157.68]) by EX13D01ANC003.ant.amazon.com ([10.43.157.68]) with mapi id 15.00.1497.033; Wed, 4 May 2022 13:48:13 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: "Klaußner, Jan" <Jan.Klaussner@d-trust.net>, LAMPS <spasm@ietf.org>
Thread-Index: AdhV9Rf0dKtEp6K7TUGSt7lMX+2VvwBPrrkAALeIHIAACrd0AAAAHXYAAVdSEgAACGCYEA==
Date: Wed, 04 May 2022 13:48:13 +0000
Message-ID: <06fd000d77f74a169d7add67a9809f6a@EX13D01ANC003.ant.amazon.com>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <1312273.1650733310@dooku> <ca18a6bf6cb74756ac942fb514c82d78@d-trust.net> <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com> <6cff3100963349cb8399bbe853e2186f@EX13D01ANC003.ant.amazon.com> <b955611d3638496f974e3b8c42fc7897@d-trust.net>
In-Reply-To: <b955611d3638496f974e3b8c42fc7897@d-trust.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.156.82]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/CdNDnhWHx4s678vKhBzsATZYWGg>
Subject: Re: [lamps] PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2022 13:48:43 -0000

Hi Jan, 

> in the non-repudiation or content commitment use case the signer must hint how the verification should be done in order to be held accountable.

For my benefit, how does that work? 
The signer sings with n private keys. Are you saying that only when the verifier can verify k of these signatures, can the verifier be certain that the signer signed the object? 
Why will 1-of-n (for a trusted by the verifier signature algorithm) suffice for these scenarios?



-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Klaußner, Jan
Sent: Wednesday, May 4, 2022 5:37 AM
To: LAMPS <spasm@ietf.org>
Subject: RE: [EXTERNAL][lamps] PQ-composite OR or K-of-N logic

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Hi Panos,

as I stated in another post in this thread, in the non-repudiation or content commitment use case the signer must hint how the verification should be done in order to be held accountable.

> -----Ursprüngliche Nachricht-----
> Von: Kampanakis, Panos <kpanos@amazon.com>
> Gesendet: Mittwoch, 27. April 2022 16:13
> An: Russ Housley <housley@vigilsec.com>; Klaußner, Jan 
> <Jan.Klaussner@d- trust.net>
> Cc: LAMPS <spasm@ietf.org>
> Betreff: RE: [lamps] PQ-composite OR or K-of-N logic
>
> +1 to Russ' point about RFC4998.
>
> And to reiterate:
>
> > There would be an immediate need to reconfigure or update
> verifier/signing software not to use this algorithm anymore, but there 
> is some more time to replace the algorithm in the PKI.
> > The k-of-n mode here is providing this agility and also the 
> > increased
> security of the AND mode, simply put.
>
> That does not need the signer to define the k-of-n logic. The signer 
> will just create n signatures and put them in a composite one. The 
> verifier will verify k-of-n and pass verification. No need for 
> upgrades. And no need for the AND, OR, K-OF-N logic to be added in the 
> composite signature or public key to complicate things.
>
>
>
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> Sent: Wednesday, April 27, 2022 9:44 AM
> To: "Klaußner, Jan" <Jan.Klaussner@d-trust.net>
> Cc: LAMPS <spasm@ietf.org>
> Subject: RE: [EXTERNAL][lamps] PQ-composite OR or K-of-N logic
>
> CAUTION: This email originated from outside of the organization. Do 
> not click links or open attachments unless you can confirm the sender 
> and know the content is safe.
>
>
>
> Jan:
>
> A notary is often used when a signature needs to be verifiable for 
> many decades. RFC 4998 specifies the Evidence Record Syntax (ERS), 
> which can be used to apply additional signatures by a notary.
>
> Russ
>
> > On Apr 27, 2022, at 4:36 AM, Klaußner, Jan 
> > <Jan.Klaussner@d-trust.net>
> wrote:
> >
> > Hi all,
> >
> > First I completely agree with Michaels view on verification policies.
> > Especially in open PKIs that are not under control of one company 
> > there is a need to signal how verification should be done.
> >
> > On the question about use cases beside the PQ transition: We believe 
> > there is a high probability that new algorithms are successfully 
> > attacked during the next decades.
> >
> > Therefore we want establish some agility in an PKI to more easily 
> > switch algorithms without an immediate PKI rollover. In our case we 
> > are also talking about use cases for document signing or long term 
> > encryption, where digital signatures need to be valid for longer 
> > periods, sometimes up to 50 years.
> >
> > So in case one algorithm is broken, the documents still remain secure/valid.
> > There would be an immediate need to reconfigure or update 
> > verifier/signing software not to use this algorithm anymore, but 
> > there is some more time to replace the algorithm in the PKI.
> > Once again, this is even more important in an open PKI.
> >
> > The k-of-n mode here is providing this agility and also the 
> > increased security of the AND mode, simply put.
> >
> > I hope our point is now more clear to the group
> >
> > Br
> > Jan
> >> -----Ursprüngliche Nachricht-----
> >> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Michael
> Richardson
> >> Gesendet: Samstag, 23. April 2022 19:02
> >> An: LAMPS <spasm@ietf.org>
> >> Betreff: Re: [lamps] PQ-composite OR or K-of-N logic
> >>
> >>
> >> I read through the list and the slides.  I couldn't be at the 
> >> meeting on Wednesday as I was travelling.
> >>
> >> The document starts off with:
> >> "Even after the migration period, it may be advantageous for an 
> >> entity's  cryptographic identity to be composed of multiple 
> >> public-key
> > algorithms."
> >>
> >> Panos and a few others have complained that the document attempts 
> >> to have signers tell verifiers what to do, and this should really a 
> >> verifier
> > policy.
> >> Well, that would make a lot of sense for a CMS signature on your 
> >> Mortgage, or your MUA verifying my email.
> >>
> >> But, signers REGULARLY tell verifiers what they've done and how to 
> >> verify things, and that's in the context of Certificates.  We have 
> >> all these
> > policy
> >> OIDs, and CSPs, and Path Constraints, and ...  These are all 
> >> signals from
> > the
> >> signer to the verifier.  The verifier can, of course, have a policy 
> >> that
> > says that
> >> they ignore CSPs or Path Constraints, or...
> >>
> >> I guess that the k-of-n part was in the slides only, as it's not in 
> >> the
> > document
> >> that I could see.
> >>
> >> I go back to the text I quoted above, and thinking about k-of-n.
> >> I'm thinking that if there are more uses for the Composite-Or and 
> >> Composite-AND structures than *just* PQ transition, that the ROI on 
> >> implementing them may be much higher.  And thus the likelyhood that 
> >> we'll discovery and fix bugs relating to the new constructs is much higher.
> >>
> >> I think that we can agree that the last thing we want is a 
> >> widespread bug
> > in
> >> validation, at the point where we find it critical to transition.
> >>
> >> ps: I giggled when I read ~~~ BEGIN EDNOTE 10~~~
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software
> Works
> >> -= IPv6 IoT consulting =-
> >>
> >>
> >
> > _______________________________________________
> > Spasm mailing list
> > Spasm@ietf.org
> > https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email