Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02

Santosh Chokhani <santosh.chokhani@gmail.com> Tue, 31 January 2023 17:45 UTC

Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03F7C1524BC for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 09:45:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.093
X-Spam-Level:
X-Spam-Status: No, score=-1.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ponMizPDEqMO for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 09:45:48 -0800 (PST)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0A0BC151549 for <spasm@ietf.org>; Tue, 31 Jan 2023 09:45:48 -0800 (PST)
Received: by mail-qt1-x82f.google.com with SMTP id m12so2698728qth.4 for <spasm@ietf.org>; Tue, 31 Jan 2023 09:45:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:to:from:from:to:cc:subject:date:message-id :reply-to; bh=RUHru9YgXztEFvZRkZDUBXe/bQlzoF9Z4t8ncVc624E=; b=buvUpXpud/VmZu8gSKhQH77ctedp/96mZQCGWvG5PV1PicG703qZPMzr4CBdVRuLGI ccMpc0/YouwjibggVHbjE9UilM4+sXcfV46KIPWcQ/lXYZXzCKTkNjJd/wwJuqjqPDbn ytAACWWbPVQB+6hKoNHN2eNzjNwPX2bmooOWEuReex3iUFJV2MCvP3M0+tIPOm5gAUZo wd9TuCfV/PDFybrR4MYpn9N0zltVZ3NuRCmsSAXDB3CHI5Fx+JNXTRvUFHmi/zQeGL/V EjhceUQ9NaLbOXz4Jb9uJuo82kzIQNn5j51CH8HJjsjRaR0ELewnA3roavQMrX2z/3M6 cwOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RUHru9YgXztEFvZRkZDUBXe/bQlzoF9Z4t8ncVc624E=; b=TfeqmvcMu2QiC6dE7kd55PHXYdD3sDrSV6z1sywpIR3uczLwUq/BMol16RrE18TVqX KYeRdYmiz2w9MEgj+LsmD23Z/lgdlfREdYxfj3ZyMf0RVL3InrvSNbiF1wZ25u1ZVjnE zYJ1Y8Cuc7o0hEkSZtUsHc7rknOylJEFLYXDZ9f2MXmlPkRRurhiKdrbeaynRbQ16ypN 6xtR3nGA9zcTSLWz1aP7vBVFyIL1NxqpgUMembm+6PGzJz+KapH5dtisSVUbo/NAVNr8 qdM0pHhB9sGQg6mfhN3ks3wQGEmIY2Bk33z2zpYg8BQ404hnUtQRbdDH27SkKSYLx1xX v0Lg==
X-Gm-Message-State: AO0yUKUP+ckwAwuAWeSY4KBbJT9glwY/r/ivhQm0CBLzkDBWyw6BpM5P hggMxgPjWF8MYrsrFPJgkvN9VIWa7ho=
X-Google-Smtp-Source: AK7set8LTpbdbCA/X0i86hQ76n+qenek3I2AAW2+U50qYpD8+xQD2+/w34QidgzfDtcgv5T4f6tjlQ==
X-Received: by 2002:a05:622a:1744:b0:3b8:4edd:3932 with SMTP id l4-20020a05622a174400b003b84edd3932mr20761710qtk.22.1675187147324; Tue, 31 Jan 2023 09:45:47 -0800 (PST)
Received: from SantoshBrain (pool-108-28-3-134.washdc.fios.verizon.net. [108.28.3.134]) by smtp.gmail.com with ESMTPSA id k8-20020ac80208000000b003b1546ee6absm10295073qtg.11.2023.01.31.09.45.45 for <spasm@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Jan 2023 09:45:46 -0800 (PST)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'LAMPS' <spasm@ietf.org>
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com> <6FB4E76C-0AFD-4D00-B0FC-63F244510530@vigilsec.com> <85c60b8b-72e2-5342-7ccb-d69b84d5444f@gmail.com> <CY8PR14MB612306E16FBC70206E3D0A90EAD09@CY8PR14MB6123.namprd14.prod.outlook.com>
In-Reply-To: <CY8PR14MB612306E16FBC70206E3D0A90EAD09@CY8PR14MB6123.namprd14.prod.outlook.com>
Date: Tue, 31 Jan 2023 12:45:45 -0500
Message-ID: <167701d9359b$d9439bf0$8bcad3d0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_1678_01D93571.F07004F0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQFljVpxtnCxG7UiG+pMgVJh6HLfMQJdeOP5ASevSnwDQU/WgALUGXf4ARu2SaSvSmbKQA==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/HXpgb-v353v6lfwYGk2AYw4IdIg>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-02
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 17:45:52 -0000

See inline

 

From: Spasm [mailto:spasm-bounces@ietf.org] On Behalf Of Tomofumi Okubo
Sent: Tuesday, January 31, 2023 10:12 AM
To: Seo Suchan <tjtncks@gmail.com>; Russ Housley <housley@vigilsec.com>;
LAMPS <spasm@ietf.org>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-
for-multi-auth-02

 

This mechanism will facilitate the transition to PQC.

The precondition/hope is that it's still safe to use traditional algorithms
while the transition happens. [Santosh]  This precondition is not required
since the PQC algorithm provides its own independent protection.  May be
you are making some assumptions about PQC certificate issuance is based on
traditional certificate, but that need not be the case.  Of course exactly
how signature and verification and how encryption and decryption are done
is outside the scope of this document, but if the relying party is using
both keys, PQC key will provide requisite protection in your scenario.

 

If that is not the case, we have bigger issues at hand.

 

The idea is that the parallel usage of traditional and PQC algorithm
combination ceases at some point. What is important here, is that we have a
mechanism to support the transition.

 

Hope this helps.

 

Cheers,

Tomofumi

 

 

  _____  

From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org> > on
behalf of Seo Suchan <tjtncks@gmail.com <mailto:tjtncks@gmail.com> >
Sent: Tuesday, January 31, 2023, 3:46 AM
To: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com> >;
LAMPS <spasm@ietf.org <mailto:spasm@ietf.org> >
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-
for-multi-auth-02

 

Not sure how it can used safely with backward compatible : If I want 
this to be backward compatible this would be extension on classical cert 
that points PQ certificate: but if one is in position to break the 
protocol why would one can trust this extension will point anything 
reasonable? for example attacker can point another RSA certificate they 
forged, or just strip this extension.

2023-01-06 오전 8:01에 Russ Housley 이(가) 쓴 글:
> Do the changes that were made in -02 of the Internet-Draft resolve the
concerns that were previously raised?
>
> On behalf of the LAMPS WG Chairs,
> Russ
>
>
>> On Sep 15, 2022, at 11:44 AM, Russ Housley <housley@vigilsec.com
<mailto:housley@vigilsec.com> > wrote:
>>
>> There has been some discussion of https://datatracker.ietf.org/doc/draft-
becker-guthrie-cert-binding-for-multi-auth/.  During the discussion at IETF
114, we agree to have a call for adoption of this document.
>>
>> Should the LAMPS WG adopt “Related Certificates for Use in Multiple
Authentications within a Protocol” indraft-becker-guthrie-cert-binding-for-
multi-auth-01?
>>
>> Please reply to this message by Friday, 30 September 2022 to voice your
support or opposition to adoption.
>>
>> On behalf of the LAMPS WG Chairs,
>> Russ
>>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org> 
> https://www.ietf.org/mailman/listinfo/spasm

_______________________________________________
Spasm mailing list
Spasm@ietf.org <mailto:Spasm@ietf.org> 
https://www.ietf.org/mailman/listinfo/spasm