IETF Logo Mail Archive

Re: [lamps] SKID extensions Re: PQ-hybrid or PQ-Composite?

Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 27 October 2022 14:36 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34A95C1522DD for <spasm@ietfa.amsl.com>; Thu, 27 Oct 2022 07:36:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sq88VQYE3d5l for <spasm@ietfa.amsl.com>; Thu, 27 Oct 2022 07:36:39 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 842FCC14CE25 for <spasm@ietf.org>; Thu, 27 Oct 2022 07:36:39 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 29R7bnpn002316; Thu, 27 Oct 2022 09:36:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=aCXIaNARuoB60i3EXfcZyaPRi2qeG5mdMmlRBLFjTxc=; b=ezx+jYD8dP9CT1zQXRLhQt/GFkZusSfoPLlQ9Z37Xh5BKoJcNwiTzKvBmLBRIaxIh+6z ANqLz/hXipa1Xije73waKT04wUiKeVsDqye2wl6TB3HXG8WmB+68TgqF/XhumJ4wRTkT JuE28Fb383S4OXu23P8nFIRC+XYKP6WUPn5NPN/t5FK42LlsJ/AeFw3xEm0/uweRBQsB h4xjOEk3yo54Mypb+k/YlE0Ku6+fRah7BIyPzbxjbMY9dDD3BmQFJ7Eic9SHdSMVpqrd O0cjDGa/+RVhERIrK1ljHJ6nnQQVvpyH80nPRAMYbEEvJiPTK3qYgoxsHGLDaGa5qa+8 iA==
Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam04lp2172.outbound.protection.outlook.com [104.47.73.172]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3kfajgbn97-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Oct 2022 09:36:34 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C1tH2vJnjQ5xEkWh+R0yMZzrT5VsqylRvFwrIoiYo/0hyBC5W3ambZMSnp/mZVn5NnUT8MeMvBzJsWdGFspC2qQanAjf8Jx/iH+AA2xqAtw5Z87jErKoTUKu2byC78dHAXlENrlWF+H5JC9Ka32avCxGRJ2F+uv5ib1n6ydDSWmmDxshSmHr+CJclhYlaJU11FSuG9MPEEK5ZAclptcOkxkjLl/NjViqK1qkChGkZurBsunWKKVWceVjJGGRyb2e+QclsPFlxa0kEk3Lgza72I4bS+5N4rtBV8vn0bzQkn4VZW+6L+ByzPI1TDXpOjROCxpTkIO/C1Twn6NnLSMhvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aCXIaNARuoB60i3EXfcZyaPRi2qeG5mdMmlRBLFjTxc=; b=LjbqzgiNK6FzaYMLJQIOtFTSmW33ameD1U/1hLTKyOOx5bMnqVnblp247R0QKx4jmHx2vfdQ0CEFhgyqTHFwCfIQak9xPrwBPk2tbGh8Bgofs/KjIpTyPCr8EvXl09RlnLYYZJVCOx7N9LnL06EGgA7w9XMjeTm0TNJkrerDMgYJyu9PaVLb340CF5nWp0jWEflgWzS3WwcT1gDeXyqeW/IypFTpEvC4qzrv8VXZTtFBHa09JBY+BHFPLQnn5j/EReyk/gfn+NFuC1cVJJH3pflUvkHBREPHtX94rXQanPJ1Ik0O3ufhFdotTapt4wjq0j09SkLucYXy+meOJXf0sA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CO1PR11MB5076.namprd11.prod.outlook.com (2603:10b6:303:90::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.21; Thu, 27 Oct 2022 14:36:26 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f83:1213:1f6a:2e21]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f83:1213:1f6a:2e21%4]) with mapi id 15.20.5746.028; Thu, 27 Oct 2022 14:36:26 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Carl Wallace <carl@redhoundsoftware.com>, "Kampanakis, Panos" <kpanos@amazon.com>, 'LAMPS' <spasm@ietf.org>, Philip Lafrance <Philip.Lafrance@isara.com>
Thread-Topic: SKID extensions Re: [lamps] PQ-hybrid or PQ-Composite?
Thread-Index: AQHY6gRLIlpfWnKmM06k7NdRf/57P64iSn7g
Date: Thu, 27 Oct 2022 14:36:26 +0000
Message-ID: <CH0PR11MB5739523DE93429F7D5D4A4309F339@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <108E5963-E837-47B4-A18F-ABF6E530C263@redhoundsoftware.com>
In-Reply-To: <108E5963-E837-47B4-A18F-ABF6E530C263@redhoundsoftware.com>
Accept-Language: en-US
Content-Language: en-US
X-Mentions: Philip.Lafrance@isara.com
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|CO1PR11MB5076:EE_
x-ms-office365-filtering-correlation-id: f8c6cb30-3d1d-438c-5fe0-08dab828a11e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kH2ytLTZKYgLNafnsBnDAMxuwpwodTvTZ7RO1WWETmCz621nIWL85RyQP+VAT0p0ZYvCe5Qy3GLpGhhGrk35GeLZJJScW3XjubmEMVerh+OHrwHD1MWJTHgUqXmoogoyhd9Tj3VLiTzaAl9NVAVMalM6t9SPc+A/Nmzrj0dTswml3fj4R23cR6cx5AByt14Aht7BGT3f/h4dqU9d1G0HUa1wZLTVN1qP5KTW25KXCPWVgUj++okMB+VNyiK0oGKWb3bVh9oSyCp+J5YjCb6A8E1lqIAL8MA+Cwp453CNXHYYPYdlrPEC8dRQXiuCbAqe/FWqRXaBJMdsPvX0PNDvcNYP7rKhvUw2/8ah6OBYRjp1IUTf/1+E2nZdFKJvePCUmrWgH9bEDB7xwXU1T7JmEkNCpb0eYVs7KgkmD7Q4UhdOyX1cdSHKhgr5wVbPXN76upI2/sL1hUD74TeQOWfr1pM5KUXp8ER4nh6wg1JQVdxg87iPylVsxqwPUPBN1emaJZgkbJL90kpfbOGyMzIROrniwRmSySx1o15nSbjA9zFOt08vunoOnXBp9zmFzcv4c8PUPQxcW6az/bQZYZtYa9pymWZjR6WkYYdv3uxqstjNReiGHixTcaSwKQgyK/v6hpnpoeR84Tjz6YDepySkQlypENZSDX1YyaUa+XndxB8cQx4J7LvlKjCK33kTN04k+0s4uiRES1kRzuLQvJP8HX91kDMZCx+9VFRwWTfv7CDAt8AK0EcGMIRvzVUr+QaLKarIr9MwvmIDjyvQSvW3LvKNxcuEKcrSh+aJZrNjjZY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(39860400002)(376002)(346002)(396003)(366004)(136003)(451199015)(86362001)(55016003)(41300700001)(76116006)(66556008)(7696005)(110136005)(53546011)(122000001)(66446008)(5660300002)(66476007)(64756008)(33656002)(38100700002)(66946007)(26005)(52536014)(8936002)(9686003)(6506007)(8676002)(66574015)(316002)(38070700005)(2906002)(71200400001)(478600001)(186003)(966005)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: vAsNRVo1iQcJl+atrB33xkbudpzcYokRIonWGIRrGyI3CP7DesFSuanJoxFnIlMBD10Exmg2cuWJnIZWbyPYL36XKudrMHv6dRQU9vpwEP/sS0MF89FjNUx/D2dOKrnPFJODIlwCQDMk6n2PGYdLYZdHGM+Ps+uvPOT+gga1JxuxCc/70zxLju7QuPIn89DjdpO24uexWeiW8EVhxn2+ykEIrdSXhALgjZbnsNykhT2q5+W2OgJ8gghNJUhm98D7XqRzb8HgKzYOTAvwhgHbzVpvlK0DV9oz+BBPjwz0GzZngLQuHyUIj9ZuwWJT1R7coiD71Yw43czDvkfzsHl+indcd3KqmIfati/JlGy3+i+RwQkmbUBsEu3WhaOJepzVByQ9xR00Ykq+0m/8oRnB2/1IhU1jZH+6/LxxBMEW1rlEiX8tlnlf49+LqG9SDmmgwF+ioHPzaa0RDJBHBrY8Aad29zzjj0jzXVOER/DiPJB8Tj3FhfXyJUCwOfskmV6qoj0+uCi/iyCPCzkGeE3YNDEN742qEjSA9H1HJ+c25DNGw1ETaCWLd0ZhTjJrPBWTikpJ1QLg3iQ8IhMeXSk1XYxgtGhYJ7NBMLC5oB0YfTkJeqPMm7i+ViKGisEgdwEYk67DEnr7UvZk/wrfaqZXr/JRbJGFjl7LI6SDhrTJ8zz7VCGLOv5Zy3ueNqabMwUvD5slxRpg5b++ENPw8gMo1ZBkfyUqTf2BYS8NmIKlUPnl1hydKoghx+Od//EM8ureCf0H41b4hz/Io7IoFHspzN0Ak8Z7bNWf58CvI3hO2EFbdd5GHv6LjE5pBQJPrXrxb07c6k7RzPYyC4gbqb+LwizV7KqCIA61jPfGKPCf0p9ZePIQd5QUGwPEHnE95+v3kKXKbGQydbz4suGApX5kN1Zoxm93NQ9X5oMQ67+H262ZbtEVPlMAXTxhMK8PnXtlZ3/Hm02oYiueIpHIdcUzZo+2bai0KLG9PjWvjkTSQlwE515KSp6TrY4zthlu36tKLh7ko6ZtyjmbJ6St+gv662MVCk/hX+nhhxWUURJnxiPmbHY+gipp6e9YOZtDtIMKzetVzShg8blbSGlqjYzzjdsPShQZB3rtZ/LgNfu1DOoD3e604IjRIeA4eS4qncAfJz+uJNiV8PHcYq4sHPf09Pxh5SRFAVHi9sgYTs9w8VRyawRWx/r8B4dabUY2CW6jX1dDvN++SE0z85MHoqlG6nO0BGtGoW8JQfaY+m52ynDzHu7cfZr2bfkPRS5Q2DQnvZaw3PRzFtyzFc99wR50v2NO2TjVB0wP+E06qcHDf8hytc1FMiZO4copB5A4e8qptqBlQGNvUkeCgCVjulkUnxYtzrA6j/qNkBNwIrERyx556PaKOoza7k9piFZu8rBCZ1rIgnBUZ+sNkymEndU6gFBaj/bb0esk0/o0phiiQj/VBIP3Qi0NPkHvn7bIqOHdJL8XY+V823VLwuDuCHfPu/LsQygdkue/qm8WtQq+A2ZqAvMWDWt1sdqI0RKb/evYfGDLZUguzqrHZb1e9hOJ5QxTnCtu0i4TjKykomXQb1czXvCHQRhWklAa+3A0A04Nh7x2fzhRiEaeKxzFyxHzwA==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f8c6cb30-3d1d-438c-5fe0-08dab828a11e
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2022 14:36:26.6517 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 48oJ6GytzrDQYpKKJtiO4btr+oJXWQXZJEf/DZ7M1RxHEltsidyJzJrCqNMya6yaSs0uvM74lXToJ9eK68KPmnp0fwDYMVrChIkh3GFVjmI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5076
X-Proofpoint-ORIG-GUID: GILQFk3xjWJekv1kgY_bZeuLbEcNjZ0z
X-Proofpoint-GUID: GILQFk3xjWJekv1kgY_bZeuLbEcNjZ0z
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-27_07,2022-10-27_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1011 impostorscore=0 spamscore=0 adultscore=0 suspectscore=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=999 priorityscore=1501 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2210270079
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/E6pTpeDfGJvqnsRDtnnGl2RHwtM>
Subject: Re: [lamps] SKID extensions Re: PQ-hybrid or PQ-Composite?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2022 14:36:44 -0000

+ @Philip Lafrance

Good point Carl.

For Composite you still have a single SubjectPublicKeyInfo in the usual place (just that its subjectPublicKey BIT STRING happens to contain a SEQUENCE of other keys). So the SKID method suggested in 5280 (or any other SKID method) should apply cleanly and unambiguously:

> the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey

So I don't think it needs to be explicitly mentioned in the composite draft?



For Catalyst Hybrid certs (draft-truskovsky-lamps-pq-hybrid-x509) I agree this is tricky; you have two independent pubkeys: the usual one, plus one in a SubjectAltPublicKeyInfoExt extension. Do you also need an AltSubjectKeyIdentifierExt? Further complicated if you're allowed more than one SubjectAltPublicKeyInfoExt. Maybe we should hold this technical feedback until such time as there is an active I-D for Hybrid Certs?

---
Mike Ounsworth

-----Original Message-----
From: Carl Wallace <carl@redhoundsoftware.com> 
Sent: October 27, 2022 8:02 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Kampanakis, Panos <kpanos@amazon.com>; 'LAMPS' <spasm@ietf.org>
Subject: [EXTERNAL] SKID extensions Re: [lamps] PQ-hybrid or PQ-Composite?

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
Has there been any discussion of how SKID extensions would work with either hybrid or composite? I saw no mention in the expired hybrid draft cited below nor the current composite key and signature drafts. Seems like a new structure would be required, which would impact path building and backwards compatibility.  

On 10/26/22, 3:00 PM, "Spasm on behalf of Mike Ounsworth" <spasm-bounces@ietf.org on behalf of Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:

    Ah, you beat me to it!

    Yes, ISARA has announced intent to dedicate the Hybrid Cert ("Catalyst") IP to the public domain.

    The way I see it is this (off the top of my head, not a carefully researched answer):

    Pros of Catalyst Hybrid:

    * Extends X.509 in "the obvious way" via an extension.
    * Fully backwards compatible because legacy clients will simply ignore the unrecognized non-critical extension.
    * Avoids combinatorial explosion of pairwise OIDs.
    * "Complexity" of checking both signatures lives at the X.509 layer.


    Cons of Catalyst Hybrid (and Pros of composite):

    * Hybrid Catalyst does not provide any encoding for transmitting multiple signatures, so you still need to either modify all the protocols to carry two signatures, or use a composite signature value.
    * You carry the (very large) PQ key and sig over the network whether or not the client uses it (ie very hard to negotiate algs when a hybrid cert is in use).
    * It is very difficult to audit what crypto was actually used at runtime since the server has no way to know whether the client actually checked the PQ part.
    * Compare that with composite where you either negotiate a traditional OID or a composite OID and it's very clear what's being used.
    * Catalyst Hybrid is not resistant to stripping / downgrade attack (ie Catalyst Hybrid certs only really make sense in an OR mode; though I suppose you could make them an AND mode by marking the extension CRITICAL).
    * "Complexity" of checking both signatures lives at the crypto alg layer.



    So as much as I'd like it to be as straight-forward of "We have Hybrid again, so let's drop Composite", I don't think it's that simple. I think there are strong advantages to each. I think I speak for Entrust that see value in supporting both Catalyst Hybrid and Composite certificates (as well as pure PQ / multi-cert), and would keep all three in our toolbox to recommend to customers depending on the details of their migration needs.

    But I agree that they are very similar and this is a good discussion to have.

    ---
    Mike Ounsworth

    -----Original Message-----
    From: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org>
    Sent: October 26, 2022 1:24 PM
    To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; 'LAMPS' <spasm@ietf.org>
    Subject: [EXTERNAL] PQ-hybrid or PQ-Composite?

    WARNING: This email originated outside of Entrust.
    DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

    ______________________________________________________________________
    Hi Mike, composite drafts authors, and WG,

    Sorry for the monkey wrench. I am sure you are aware of this https://urldefense.com/v3/__https://www.isara.com/company/newsroom/isara-dedicates-four-hybrid-certificate-patents-to-the-public.html__;!!FJ-Y8qCqXTj2!aztm9JK1STn0XcErfeMf5yXQFR_5MMDuqP3WVKhZK9uu1C041s2dbh6qgNpa4nZj588VU3vhLFDl6BrRRvVIpDYvnCIBq3gm_SO6$  . ISARA seems to have opened up the patents they had on hybrid certs. Hybrid certs do the same thing as composites, but they add the additional algorithm in an optional extension, not concatenated. One advantage of hybrids is that we don't need a bunch PQ-composite OIDs. One disadvantage could be that the PQ-verifier needs to be careful to verify and not ignore the extension.

    If the IPR is indeed open for use now, should the WG be discussing which is the better option?

    Rgs,
    Panos

    Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
    _______________________________________________
    Spasm mailing list
    Spasm@ietf.org
    https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!Y7s7PLJaE5ModAs1T3eP5fpBuLZXuxA3FYcRJA734sJw0C5uxcpnGGvxfRC_xnzzz0CjVh6Aef22xqmakJb-QBt4$

v2.23.0 | Report a Bug | By Email