Re: [lamps] FW: New Version Notification for draft-vangeest-x509-hash-sigs-00.txt
Russ Housley <housley@vigilsec.com> Wed, 10 October 2018 20:19 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CC131277C8 for <spasm@ietfa.amsl.com>; Wed, 10 Oct 2018 13:19:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JU5KswjWVE2N for <spasm@ietfa.amsl.com>; Wed, 10 Oct 2018 13:19:33 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F405128BAC for <spasm@ietf.org>; Wed, 10 Oct 2018 13:19:33 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 3CAA4300AA8 for <spasm@ietf.org>; Wed, 10 Oct 2018 16:19:31 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id GLGSa0Tt50Lm for <spasm@ietf.org>; Wed, 10 Oct 2018 16:19:29 -0400 (EDT)
Received: from a860b60074bd.home (pool-71-127-50-4.washdc.fios.verizon.net [71.127.50.4]) by mail.smeinc.net (Postfix) with ESMTPSA id 3AAA03002C7; Wed, 10 Oct 2018 16:19:29 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <8B931581-1CCD-4C3B-841D-8C78531EDFA7@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_20AA0984-DC0E-4F5D-B989-9E98BA32D0DD"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 10 Oct 2018 16:19:29 -0400
In-Reply-To: <F16925E1-F8F1-4069-BF5A-91CBCF98C7C9@isara.com>
Cc: SPASM <spasm@ietf.org>
To: Daniel Van Geest <Daniel.VanGeest@isara.com>
References: <153919524373.5861.7228296681722124369.idtracker@ietfa.amsl.com> <F16925E1-F8F1-4069-BF5A-91CBCF98C7C9@isara.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/HE-e-Nr0jgHgcyENfea4b5CuYV4>
Subject: Re: [lamps] FW: New Version Notification for draft-vangeest-x509-hash-sigs-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Oct 2018 20:19:36 -0000
I suspect that this document will need to go through secdispatch in order to get the LAMP WG charter updated. I skimmed the document, and it defines object identifiers for the algorithms, put it should probably use SIGNATURE-ALGORITHM as defined in RFC 5912. That way, it is clear that all 6 algorithm identifiers are used without parameters. I would like to see certificates and CMS uses the same object identifiers for the public keys and the signatures in all cases. We need to do some coordination to make sure that happens. Russ > On Oct 10, 2018, at 2:18 PM, Daniel Van Geest <Daniel.VanGeest@isara.com> wrote: > > My employer has seen interest in hash-based signatures for X.509 certificates and is implementing support for them. This draft adds signature algorithm identifiers for HSS (the key identifier is already defined in draft-ietf-lamps-cms-hash-sig), and key and signature algorithm identifiers for XMSS and XMSS^MT. > > Due to their statefulness, these hash-based signatures are not appropriate for EE certs in interactive protocols, but are useful in CA certs and code signing. Because of the long time needed to deploy CA certs, the potential long life of signed code, and the fact that hash-based signatures are already considered to be secure, it is prudent to enable deployment of hash-based certificates now rather than waiting for the NIST competition to select a PQ signature scheme. > > This is a relatively simple draft, basically just assignment of OIDs. Is there interest in this group for this draft? If not, should it be an Individual Submission? I can post this to Secdispatch for their opinion too. > > A few other notes on the draft: > - It needs to align KeyUsage with draft-ietf-lamps-cms-hash-sig (this draft currently has MUSTs for the values, while the other has MAYs). > - id-alg-hss-lms-hashsig is repeated from ietf-lamps-cms-hash-sig. All other OIDs are assigned from ISARA’s arc. If instead there is a preferred arc to request OIDs from we can look into that. > > Any feedback from the group would be appreciated. > > Thanks, > Daniel > > > > On 2018-10-10, 8:14 PM, "internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>" <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> wrote: > > > A new version of I-D, draft-vangeest-x509-hash-sigs-00.txt > has been successfully submitted by Daniel Van Geest and posted to the > IETF repository. > > Name: draft-vangeest-x509-hash-sigs > Revision: 00 > Title: Algorithm Identifiers for HSS and XMSS for Use in the Internet X.509 Public Key Infrastructure > Document date: 2018-10-10 > Group: Individual Submission > Pages: 13 > URL: https://www.ietf.org/internet-drafts/draft-vangeest-x509-hash-sigs-00.txt <https://www.ietf.org/internet-drafts/draft-vangeest-x509-hash-sigs-00.txt> > Status: https://datatracker.ietf.org/doc/draft-vangeest-x509-hash-sigs/ <https://datatracker.ietf.org/doc/draft-vangeest-x509-hash-sigs/> > Htmlized: https://tools.ietf.org/html/draft-vangeest-x509-hash-sigs-00 <https://tools.ietf.org/html/draft-vangeest-x509-hash-sigs-00> > Htmlized: https://datatracker.ietf.org/doc/html/draft-vangeest-x509-hash-sigs <https://datatracker.ietf.org/doc/html/draft-vangeest-x509-hash-sigs> > > > Abstract: > This document specifies algorithm identifiers and ASN.1 encoding > formats for the Hierarchical Signature System (HSS), eXtended Merkle > Signature Scheme (XMSS), and XMSS^MT, a multi-tree variant of XMSS. > This specification applies to the Internet X.509 Public Key > infrastructure (PKI) when digital signatures are used to sign > certificates and certificate revocation lists (CRLs). > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>. > > The IETF Secretariat > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org <mailto:Spasm@ietf.org> > https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>
- [lamps] FW: New Version Notification for draft-va… Daniel Van Geest
- Re: [lamps] FW: New Version Notification for draf… Russ Housley
- Re: [lamps] FW: New Version Notification for draf… Daniel Van Geest
- Re: [lamps] FW: New Version Notification for draf… Russ Housley
- Re: [lamps] FW: New Version Notification for draf… Daniel Van Geest
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Tomas Gustavsson