Re: [lamps] New Version Notification for draft-massimo-lamps-pq-sig-certificates-00.txt
Russ Housley <housley@vigilsec.com> Tue, 12 July 2022 15:36 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 396F2C14F743 for <spasm@ietfa.amsl.com>; Tue, 12 Jul 2022 08:36:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aA24idTyf6R5 for <spasm@ietfa.amsl.com>; Tue, 12 Jul 2022 08:36:11 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DEB4C14CF03 for <spasm@ietf.org>; Tue, 12 Jul 2022 08:36:05 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 2D87713D38E; Tue, 12 Jul 2022 11:36:04 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 18D4E13D38D; Tue, 12 Jul 2022 11:36:04 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <DM6PR11MB25856515B179F6845BF1668FEA869@DM6PR11MB2585.namprd11.prod.outlook.com>
Date: Tue, 12 Jul 2022 11:36:03 -0400
Cc: Uri Blumenthal <uri@ll.mit.edu>, "Massimo, Jake" <jakemas@amazon.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <958C93DA-EC34-42CA-A490-8367D984CA67@vigilsec.com>
References: <DM6PR11MB2585CB30B5A19BDB39400B95EA879@DM6PR11MB2585.namprd11.prod.outlook.com> <00AF3B52-729F-4E14-B69D-83E4D4B35863@ll.mit.edu> <DM6PR11MB2585E20AE659FB328C6D13FAEA879@DM6PR11MB2585.namprd11.prod.outlook.com> <6B34C5E9-744E-4304-83CF-D906E41027A6@vigilsec.com> <DM6PR11MB25856515B179F6845BF1668FEA869@DM6PR11MB2585.namprd11.prod.outlook.com>
To: John Gray <John.Gray@entrust.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Gv-ACiOpYZfOM0AJEZUX1jIhVq0>
Subject: Re: [lamps] New Version Notification for draft-massimo-lamps-pq-sig-certificates-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2022 15:36:17 -0000
John: > I agree, we just need to know how to encode the public key structure into a BIT STRING. So I am just looking forward to clarity on the encoding of the DilithiumPublicKey. > > For example, here is a Dilithium2 Public Key (using the Round 3 implementation from open quantum safe), encoded as a BIT STRING: > > The OIDs I'm using are not standard as they still need to be defined... 😊 The LAMPS WG Charter assumes that NIST will assign these OIDs. as they have done for AES, SHA2, SHA3, and so on. [snip] > Russ, in regards to the PrivateKeyInfo structure, I was just pointing out the difference that I see in 5280 (OCTET STRING for privateKey vs BIT STRING for public key). I think the way they have defined the DilithiumPrivateKey as an OCTET STRING is fine as it complies with 5280. My only question in relation to the private key is why there has to be an option to have the public key in there? If it is not there and an implementation required it to be there then wouldn't that cause interop issues? I am expecting both the public key and the private key to be octet strings. For the public key, is it easy to specify how to carry an octet string in an ASN.1 BIT STRING. For the private key, is it trivial to specify how to carry an octet string in an ASN.1 OCTET STRING. One of the issues regarding private keys is discussed in draft-uni-qsckeys. If the private key contains all of the optional values, then the structure gets very big. If the private key does not contain all of the optional values, then these values need to be computed locally. The right approach may depend recipient device and communications environment. > I notice in RFC 5915 (EC Private Keys) there is language to try and mitigate incompatibilities by suggesting the public key SHOULD always be in the ECPrivateKey, and then if it is not it can just be recomputed if it was needed. I don't know if it is possible to recompute dilithium public keys from private keys, if it is possible, then I suppose something similar could be explained. In any case, I just think an expanded explanation for that optional field and language to try and mitigate incompatibility between implementations should be considered. Since I have already come across this exact incompatibility in practice, it isn't just hypothetical. I could send samples of this incompatibility as well if that is helpful... 😊 It was a long time ago, but I think that the SHOULD was intended to reflect environments where the private key is locally generated and never sent to any other places. > > From 5915: > publicKey contains the elliptic curve public key associated with > the private key in question. The format of the public key is > specified in Section 2.2 of [RFC5480]. Though the ASN.1 indicates > publicKey is OPTIONAL, implementations that conform to this > document SHOULD always include the publicKey field. The publicKey > field can be omitted when the public key has been distributed via > another mechanism, which is beyond the scope of this document. > Given the private key and the parameters, the public key can > always be recomputed; this field exists as a convenience to the > consumer. Right, if one has the private key, it can compute the public key from it. This is another example of the size tradeoff. Russ
- [lamps] FW: New Version Notification for draft-ma… Massimo, Jake
- Re: [lamps] FW: New Version Notification for draf… Russ Housley
- Re: [lamps] FW: New Version Notification for draf… Ilari Liusvaara
- Re: [lamps] New Version Notification for draft-ma… John Gray
- Re: [lamps] New Version Notification for draft-ma… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] New Version Notification for draft-ma… John Gray
- Re: [lamps] New Version Notification for draft-ma… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] New Version Notification for draft-ma… Russ Housley
- Re: [lamps] New Version Notification for draft-ma… Corey Bonnell
- Re: [lamps] New Version Notification for draft-ma… Massimo, Jake
- Re: [lamps] [EXTERNAL] Re: New Version Notificati… John Gray
- Re: [lamps] [EXTERNAL] Re: New Version Notificati… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] New Version Notification for draft-ma… Russ Housley