[lamps] Re: [PROPOSAL] Cryptographic Binding for draft-bonnell-lamps-chameleon-certs (DCD-Base Binding)
Sarat G <sarath.ginjupalli89@gmail.com> Mon, 23 February 2026 23:30 UTC
Return-Path: <sarath.ginjupalli89@gmail.com>
X-Original-To: spasm@mail2.ietf.org
Delivered-To: spasm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 80355BC93B87 for <spasm@mail2.ietf.org>; Mon, 23 Feb 2026 15:30:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Q1EAN4xRkRD for <spasm@mail2.ietf.org>; Mon, 23 Feb 2026 15:30:50 -0800 (PST)
Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id F1050BC93B79 for <spasm@ietf.org>; Mon, 23 Feb 2026 15:30:49 -0800 (PST)
Received: by mail-ot1-x334.google.com with SMTP id 46e09a7af769-7d18c654458so1944873a34.3 for <spasm@ietf.org>; Mon, 23 Feb 2026 15:30:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1771889443; cv=none; d=google.com; s=arc-20240605; b=MMAzB50VQrycilzSNVMHvNwDheQiy3p5R8XgrBAncagzlYHOFSDt7HZNKZp4a4fisH 5Wtqsg+68ftbjD6pLdwp8tdhMoCnn0mrKebz1C1wYStQ96s06xsaHuDDJlINrJf4fM2Q opxJhNiysEl+FaWfrFg0+x1CvQUsniV/rsGcvWe0iTNl+pSVBUQgFnMcS3B7ff2XVik+ tRZmzUaba1FAH279Efb0/vjMdvfz9zAiMokUhbMF7K2DQ9t4IjbtBtkdjeEzc+S5/WfT WhJM4lJ7KS1nSNVLXnCMpxZQEVcrLPK/Ae7qJpVzyXVjuYzZBvyc+WPfL8XYI1RQIA+T CETQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=GCmWZFdnLIvbtd90uUken0ju0QT3CyxriYT6jn5amG4=; fh=i7rvyeWF7f+uDk/hUABKeAP2e48JbF84fe09ao3H5dc=; b=F2vmZtOJ4f4UZ/6DG5bb032saj9Bumuv/0q+ngMWci5xshFZDJvjcFS2XadvdCrT46 SMQSxnvKLb9Zuh0q6lcaJYyQ4pFII0lj2uOkblTXA5MPSDAEWFZw9rEkXrkcdwHHUT6v hd9nMKOZJ6B6uaEfuJ+3IDWsKhPNmm7F3JThAJDY3qWeDYvU3FE8nZgClHjBlt7Nij0B ecjvYT1Mp7pvKUIO+3GZ2pueRWCJ4mexYCNoKE5LZnmCZ+h6L/lfIZ2y9fcSikfkG3HS rVpQv7TntYnkU18gdIEZ/7OhRFDkYrg6g9m0Gi/YiTfVN0kqKH56dr7zIiNzVo6GUF5B LwfA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771889443; x=1772494243; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GCmWZFdnLIvbtd90uUken0ju0QT3CyxriYT6jn5amG4=; b=AcqKJTy6fESQJ9PNWxq7i9acWLC2Kq/qwZ0ZX889QBJsvdoPO7WkH7S+rTHTGV/yEG 4L/sswzehok92SPd8yLld4TzWAm6pQz/ejuxB7H7ULpYOylapacMXop4/m02gvvjhV0F IpOLBZN0YJz5s31+9I5NtemZa7v8qZaAgiFz0uU7bLibYy06FOOMcYfeost7SF+yrWY5 tOrCULJp5e9h3oVvELx7AKBIQ7M+ncRPgC43+Faq3mJ4JDiIFW36Rsmr5Vl5H+flz8vx MkQCSK8e4mtXiy1w0yEyTgVTsxHesCfRQPVRGYhoCxc792XjaYPIn6RZzqaeakQBIo9L fBIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771889443; x=1772494243; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=GCmWZFdnLIvbtd90uUken0ju0QT3CyxriYT6jn5amG4=; b=p98+8P8SXaLs2vq8qbwUdaKxjv/4FZE6kzuYHrwo5ZeEoxc148t2zScGW5Fi3tBr0n Q2D7noLKp52VQJUJSVtxu7q7zcfuTHNSe8YYvgLMFJnmu0faPQeWRgXIXbPU/weqDT9P By78BET8nfEFEaPh84SO/v26qifiNnMEm5Pxrw1McUS9U+m/ZE9SbLGVw5+EEYMpjcEh yg1S2IlRqwcLLDT7HFAYj2YmpwLi8rX9VDPNp+gcMYpXhD2+BhHXIQvVeago9ulrXg46 SjcfCQAsETiwU+Vwz8W9yMMyxO+jLQjTA13JXJRHyj8ukkc7Zoc6bZLF1qMsEsQBmgA2 DrYg==
X-Gm-Message-State: AOJu0YwCNLN2VpxWOwFusOQ/1dlpjGSpg62PT7wIUpzKrG4DhNkFVk9m /6jonCXAQDHjYd2htEJERmvoSeCaVrsdi8JgrO1wNCIp0WKN4Y9DDec6syWELorVBFXWFvewAdv 4BzEZiTX8dSAN0pSejr4wtYe+rAfA0Fo=
X-Gm-Gg: AZuq6aJj/NVypgmP0ngUMqElqHPrgseT/DHHC64oCWWZa1K2MmYlBYwHxz9J6xlS1EL dmK1pw4EE40ElI84JMGCek2J0dTzOmv7WSZqHLURwKdV5LR2ENriU41KG9noz/9yRtNXeludzfN fShxiedbmLnS4YP8mcA/85ETQcB+ut+N/mT/eng+G0juRTg9n5bcHcazWBDdkUKZIMDSA2z8bAZ AVhr4HMQRRWraIF4XlY5fLEH2wErwAm59D4Ch6LOVIyLETrB5HJ2RMQBifrkGt3zdTd/YdjKqNT tpOb1ER58cWdMdr0l7chWkC2QzIwOpmGhpA=
X-Received: by 2002:a05:6820:150a:b0:676:6570:209c with SMTP id 006d021491bc7-679c466f67dmr6463274eaf.10.1771889442542; Mon, 23 Feb 2026 15:30:42 -0800 (PST)
MIME-Version: 1.0
References: <CANNyqrwfa2mrmr1_CK0Qzpoj6XpoR+cXhmHt29eJYg956r09xA@mail.gmail.com> <8C9006CE-BAF9-4224-88A6-481094331AC0@vigilsec.com>
In-Reply-To: <8C9006CE-BAF9-4224-88A6-481094331AC0@vigilsec.com>
From: Sarat G <sarath.ginjupalli89@gmail.com>
Date: Tue, 24 Feb 2026 05:00:29 +0530
X-Gm-Features: AaiRm52a9Zh9HuqoB2GtDdSzq4HTjEFyfo0ucPuhTBNwjrOOGyhvrFVQ_NlbkRE
Message-ID: <CANNyqrzpRdF9m3BOoGMEqzRe7vrti9bJYfQwS1rNtbZHiJjy5A@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="000000000000cdd72e064b8628ea"
Message-ID-Hash: JEKUINM4Z2RVYE6ZMES6O3IGGHJZGHW4
X-Message-ID-Hash: JEKUINM4Z2RVYE6ZMES6O3IGGHJZGHW4
X-MailFrom: sarath.ginjupalli89@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF LAMPS <spasm@ietf.org>, Corey Bonnell <corey.bonnell@digicert.com>, john.gray@entrust.com
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] Re: [PROPOSAL] Cryptographic Binding for draft-bonnell-lamps-chameleon-certs (DCD-Base Binding)
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/DaTCWAB-eIYyKJjFx7v1GlgJmBs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>
Hi Russ,
Thanks for the feedback. Making baseBinding mandatory (non-OPTIONAL) makes
sense: it keeps the binding as a core part of the Chameleon structure and
helps prevent downgrade or stripping attacks.
To stay consistent with the draft’s tagging, I propose adding the binding
as a mandatory field with tag [5], placed before the signature value to
ensure it is covered by the descriptor's integrity check.
Proposed ASN.1:
DeltaCertificateDescriptor ::= SEQUENCE {
serialNumber CertificateSerialNumber,
signature [0] EXPLICIT AlgorithmIdentifier OPTIONAL,
issuer [1] EXPLICIT Name OPTIONAL,
validity [2] EXPLICIT Validity OPTIONAL,
subject [3] EXPLICIT Name OPTIONAL,
subjectPublicKeyInfo SubjectPublicKeyInfo,
extensions [4] EXPLICIT Extensions OPTIONAL,
baseBinding [5] EXPLICIT BaseBinding,
signatureValue BIT STRING
}
BaseBinding ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
bindingValue OCTET STRING -- Hash of Base's subjectPublicKeyInfo
}
This keeps the DCD compact while adding the needed binding. I’d be
interested in feedback from the draft authors (Corey, John) on any
implementation impact of making this mandatory from the start.
Regards,
Sarat G
On Mon, Feb 23, 2026 at 8:52 PM Russ Housley <housley@vigilsec.com> wrote:
> I think that baseBinding should not be OPTIONAL.
>
> Russ
>
>
> > On Feb 23, 2026, at 8:56 AM, Sarat G <sarath.ginjupalli89@gmail.com>
> wrote:
> >
> > Dear LAMPS Working Group and Authors,
> >
> > I have been reviewing draft-bonnell-lamps-chameleon-certs and would like
> to propose a technical addition to the Delta Certificate Descriptor (DCD)
> extension: a cryptographic binding between the Base certificate and the
> Delta it carries.
> >
> > 1. The Problem: DCD Substitution (Grafting)
> >
> > The DCD extension is part of the Base certificate's TBS and is covered
> by the CA's signature. However, there is no field within the DCD that
> cryptographically links the Delta to the specific Base that carries it.
> >
> > In scenarios where a verifier processes only the PQC (Delta) path, or
> where the classical (Base) issuer key is compromised, an attacker could
> theoretically graft a valid DCD from one certificate onto a different Base.
> A PQC-only verifier would have no way to cryptographically confirm that the
> Delta belongs to the Base it is paired with.
> >
> > 2. The Proposal: DCD–Base Binding
> >
> > Add an optional baseBinding field to the DeltaCertificateDescriptor
> containing a hash of the Base certificate's subjectPublicKeyInfo (SPKI).
> >
> > Why SPKI?
> >
> > - Avoids circularity: The DCD is inside the Base's TBS, so hashing the
> full TBS would be self-referential.
> > - Identity link: The Base's SPKI identifies the subject's classical key.
> Binding ensures the Delta is tied to that same subject.
> >
> > 3. Proposed ASN.1 Addition
> >
> > Add to DeltaCertificateDescriptor (new optional field with context tag
> [5]):
> >
> > DeltaCertificateDescriptor ::= SEQUENCE {
> > serialNumber CertificateSerialNumber,
> > signature [0] EXPLICIT AlgorithmIdentifier OPTIONAL,
> > issuer [1] EXPLICIT Name OPTIONAL,
> > validity [2] EXPLICIT Validity OPTIONAL,
> > subject [3] EXPLICIT Name OPTIONAL,
> > subjectPublicKeyInfo SubjectPublicKeyInfo,
> > extensions [4] EXPLICIT Extensions OPTIONAL,
> > baseBinding [5] EXPLICIT BaseBinding OPTIONAL, -- NEW
> > signatureValue BIT STRING
> > }
> >
> > BaseBinding ::= SEQUENCE {
> > hashAlgorithm AlgorithmIdentifier,
> > bindingValue OCTET STRING -- Hash of Base's subjectPublicKeyInfo
> > }
> >
> > 4. Verification Logic
> >
> > A PQC-aware verifier would:
> >
> > 1. Extract baseBinding from the DCD (if present).
> > 2. Compute Hash(Base.subjectPublicKeyInfo) using the specified algorithm.
> > 3. Reject the Delta if the hashes do not match, regardless of signature
> validity.
> >
> > 5. Rationale
> >
> > - Defense-in-depth: Strengthens the model for PQC-only or PQC-preferred
> verifiers.
> > - Minimal overhead: Hashing a public key is cheap; certificate size
> increase is small.
> > - Backward compatibility: OPTIONAL with explicit tagging; existing
> implementations ignore unknown fields.
> >
> > I would appreciate the group's feedback on whether this is a useful
> addition to the draft or if it should be pursued as a standalone extension.
> >
> > Regards,
> > Sarat G
> >
> >
> > _______________________________________________
> > Spasm mailing list -- spasm@ietf.org
> > To unsubscribe send an email to spasm-leave@ietf.org
>
>
- [lamps] [PROPOSAL] Cryptographic Binding for draf… Sarat G
- [lamps] Re: [PROPOSAL] Cryptographic Binding for … Russ Housley
- [lamps] Re: [PROPOSAL] Cryptographic Binding for … Sarat G
- [lamps] Re: [EXTERNAL] Re: [PROPOSAL] Cryptograph… John Gray
- [lamps] Re: [EXTERNAL] Re: [PROPOSAL] Cryptograph… Sarat G
- [lamps] Re: [EXTERNAL] Re: [PROPOSAL] Cryptograph… John Gray
- [lamps] Re: [EXTERNAL] Re: [PROPOSAL] Cryptograph… Sarat G