IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Current efforts in the direction of draft-truskovsky-lamps-pq-hybrid-x509?

John Gray <John.Gray@entrust.com> Fri, 07 July 2023 19:30 UTC

Return-Path: <John.Gray@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2112C151060 for <spasm@ietfa.amsl.com>; Fri, 7 Jul 2023 12:30:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PoJ_VUhAgmBh for <spasm@ietfa.amsl.com>; Fri, 7 Jul 2023 12:30:37 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CA29C14CE25 for <spasm@ietf.org>; Fri, 7 Jul 2023 12:30:21 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 367GMwE6012730; Fri, 7 Jul 2023 14:30:18 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:subject:date:message-id:references:in-reply-to :content-type:content-transfer-encoding:mime-version; s=mail1; bh=nqt19lL0SDiUsT1DPfpgLRKCoy1ZunNwz4vvK9mw58w=; b=Cqdl+3YC115X 6o9qhpNjdiWVpzCfmOTuV2Skuyzam3QMFTF/BXkIeHezXn624ycjwgClKCdRgtJM s/i2PuhCXuMv16/e3ZG8ezn4Trliau5fg5JD9p9z1ZIeupDommKrIl//wh1tZpRp YpRoTRv95eW5d+84OCoWKLD6lK+tsEliV1XG5vJjH2Q8sxCTjA7Qz+sWus2/gLSz l4zlhyztylsRPidB78UCWkd0S7HAJqOBtlo0jYqE/EeiLoV1uA0g/LLcnUHXKd6+ HhUb98xcIA99hKySMD9kb2vSg8fSZA/I1FuUcSQFjD6YOH8dTkkI4xFrIMsCjqPf XjaCiyjA8g==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2172.outbound.protection.outlook.com [104.47.57.172]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3rp453uf8e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 07 Jul 2023 14:30:18 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z6RB48sbGKYqq03RqrpqlTc2fdJ8wM5t1J/Al5sZKzYj2VxCwk3hsYaa/4r/f/MvfxGIhXkKavI5RlE++RWqRy5yTEHDPUug4l+rwd0FezGSk1xE8WEzaPUoSwkHZIQWFC0VmXiX5R0lMONxJpAejPHpPnufjY99/m5MUPi4A1isczPvAewPGIwGow7MqMB8QI8E0oAIZn5/hdksdks8T1mTgDpB8lhuz6rCgVZ3qWs/+TGP7PivaDfMfkFSMAL7c16J/5cfXFQgCiyerMNl8Wv9y8MKMpxsY5aeahOKG5b8jOlZMB92TQGG7N4SR3MUb2h5qeOf6CeRiZELdsGOTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nqt19lL0SDiUsT1DPfpgLRKCoy1ZunNwz4vvK9mw58w=; b=dLuB3/8161fU5TdCzBlqbkk7QG3RZaOvpTdYAAChvwllQZ8aOHBOdGvnaL0hSEw/j5+uUBWAQY7DRcFVUNtoStrWD2+JZtWsaF4fGIoKtoAWJnIfVLPuM+Q1jsA6ICge3qGB4tagetMzmrhD+SM8C8Xn9yPlD6wj9ZRUKKLasetAha2dlV8fOi31YtB9JWgogCUZV2vl4Er6rSt6+5nHdnQWMSiJ09d08PQCdnbMdZmTrthZbFI3H4BuNJ+q0atQAk+1kjBpUZOddR2ioaIDTYisMh2V6EW9wT/W+u7jfAVGtPh7losyx+ngfLeGrbnsy/m4iDnGDAMz2HADiK/a9g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from DM6PR11MB2585.namprd11.prod.outlook.com (2603:10b6:5:ce::22) by CY8PR11MB7059.namprd11.prod.outlook.com (2603:10b6:930:51::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6565.25; Fri, 7 Jul 2023 19:30:15 +0000
Received: from DM6PR11MB2585.namprd11.prod.outlook.com ([fe80::a421:e0aa:e01f:d17f]) by DM6PR11MB2585.namprd11.prod.outlook.com ([fe80::a421:e0aa:e01f:d17f%3]) with mapi id 15.20.6565.025; Fri, 7 Jul 2023 19:30:15 +0000
From: John Gray <John.Gray@entrust.com>
To: Iyán Méndez Veiga <imendez@ethz.ch>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [EXTERNAL] [lamps] Current efforts in the direction of draft-truskovsky-lamps-pq-hybrid-x509?
Thread-Index: AQHZsNwyKfH8CAfxfUieDVV8Kmfslq+ur/ug
Date: Fri, 07 Jul 2023 19:30:14 +0000
Message-ID: <DM6PR11MB25855B2C635E45B8C2F61E49EA2DA@DM6PR11MB2585.namprd11.prod.outlook.com>
References: <7857448.9X9Kdy9spX@thinkpad>
In-Reply-To: <7857448.9X9Kdy9spX@thinkpad>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR11MB2585:EE_|CY8PR11MB7059:EE_
x-ms-office365-filtering-correlation-id: dd4600db-3cf7-4569-787a-08db7f2096cd
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /tHtgyzEK9b0+hmQWj4+T009G3/wA/MX5KI6R1+7evrfbhOg/yki+rhDk+UttCZA9CHUokbLNmLs7gE9IP5tSdMQHTc0EmCc8O/TtCYOtqMqEFkR4EchDd+Whr7dbQjNsEwVnljiTKOErvKonbJMnjwQlWTQeywjG/zKPjGUpClhD0WAqNEbPcLzO8e15jsNfMID1iHAqp91mcSCg+yfkazjSU4rKN9MtL8UTKmdd5VZfzZYaxYMZ8fwKJE+UBCENssB+mSo9Kx1Y9zOZn1jb5kC1xa3JOGa49fL1bBncN/+1Zx8p0/PFW2bLpKkScSl+hRvkPj8PqozTo8vVAzWVtHy8CGX95vau4WJzEhVKtLhcGE9wCEAaMgmVz+x1YWDGLWhWFYpGg1WC45gyGnZJy9NaXSd4qU8VCqvKqE1TwkykOOayiry1U+4cb12lrj+I4aGT4VBpm/nMeTn5CsP+cKdN8mczkumDBgxuej/uO0UKQNsfK6/COKWw84X5KKDbDFaZe0r1Jx+IMRPRmS44Njfiqgr8wQ5jzkM1PCE71hBkEViq5JqwpRgP3Po79xasOBjLPLzoKOskEzAmbD8HzMW1NZkkATsFQiRSkcLFM9e8TdW+HWzLlsLemh+nRCwblbmpxCJe56ApLEf1CtxnQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB2585.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(39860400002)(376002)(346002)(366004)(136003)(396003)(451199021)(122000001)(38100700002)(86362001)(33656002)(38070700005)(55016003)(8936002)(8676002)(9686003)(41300700001)(26005)(52536014)(5660300002)(53546011)(71200400001)(966005)(6506007)(186003)(2906002)(66574015)(83380400001)(478600001)(76116006)(7696005)(66946007)(316002)(110136005)(66476007)(64756008)(66556008)(66446008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oT2k9Vlk5yZ3cuhXSzfx1Zn56leWbrG+CLEjnkEOzsgG9kGk3uk0nuWFE6DSo3Eu2y5oY/Ad1gtZOQHcLiN33iwK5X2DwgIXgzv+D6DHlJBdgcfPwYF8QlM+MBJvQ2D5chd4n9toBY7zNm2lB3uu6ECIPnB+pXBIyFQetmcnw3bauNKyFCi49QCu1mamdiqwnS5m+YNRWtMfTWo1hWIrEIiRb78SoDxZnl8jBg8xVKTFzHkf/snF7ado9Jg2DXWO9xCckAIl7loMdjN8IOxJkMN9kNXI7dIeDVPdVjv+f5KAujo5cjfL3+g1Uc+Cn6HpfHFgu8t9WkOwenn5uJhWpiq0hhRnNopdwRAebyWFDnxWiULgvie+K1w/UYApjhjXjxp50TbyU7sGfnYRqfRHPStI3sn5tPBnQZ7JWNJ9jyqF6CYNumM/XcO+lEmnWi3FyKqvxh+FQ7oqTawjrGkKYJJR+9szNW2sCgnpeiKgA3VGutgA+XCNniBvTX0PJrCtew0woGKkE8pNqw+7h+toXVyMsz7u8Je4Eo+P3EFu3sqizihNwswqrNz9/M0guS+116xzIW9MM+LX4jXHp4OIlbSiwKzh7oEE+cOlqSfn1Kv24Cj4V1YJMIV+ODuCRKQRRv7WZ+xNSYturinli5GIRpf9aNBj/Xo6OvBmae1IwJOi2CNlLtZzpjHx1r3xUWjKujG/yAvnWg2/WHDTgQQbj4UoEekNC0yhoJJmDykg2lcVvUEgHe0Inj0QFMdx/ud0BRBHtheOR7VxVRgiVU8BfhWuHBDHOnF7rM5T3etBBlBlxPdMu/n9Q60tNO1CnAURQL0s1STqnGOKW7/s7Zt5IRcPlaaiJBZQsDPbYlm2tUDnJkJq4f626BVuJ2ebzSABuoTxgksliTUr4snW301jZdfhb7LS8dLcM/39OqfkgCBShUevnGfER7pdp117YmEVU16XEP6fV3aWDpeRZslpTSp/uIeKgVQujoKS+tQ2hbbUudLpnFLz3tUXMIJbWB/Zy5OLomMuInGJkMeLcydqbGiYRCIGEvZwzPNr/oCABxqYFRZKqXu1gj9XmQ+bDbIMBEQEkmPY6Y/MXySl0yaoV0Un+UfiPQiPh3yKQtgzBBXd0k95PBpbIsBKLkrzyLyVKpI4/kpLKyUJbwEMc7YPHHvibNd32z+jVXOerpml7ZrHNoMu3m25uCJe9AOqMTI4ZJN5Rur+aatEln/kQjPUM8SXhLIEk2rm2J+FYqgi33IDYsjSm5Ujp8qiETseI5g/rzi3yl1FwLvabI5eE34XIzqBLlg++4Qp3jwEaIxlEahM5/jkWyEyTDqIi5jAB7Wed8grmL+c7PRBlOMt+wsIEmFdSkEbYcWGhUWU1aWziefOkQN5Ti1Vl5ZMiQ1TTtSIScMDmJiMf+KC4fx3/Khe6p+yrwnx87uQMDMxbdkeZdzv3kYgMsjRNyrHpACGphka/FHRMeI3P/90JtfBx0bdG8q1Sx0fIC9FkHlWVUjkzv+h2axnt5yaSip1BFLJE6qwhhT+C1I7rqqHTJ63sfa0FnyjMvTk6UmMZ1cgaRyUDCJ530fuy3pe6SwD2J1b7N2h
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB2585.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dd4600db-3cf7-4569-787a-08db7f2096cd
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2023 19:30:14.8726 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ouJlnMkSTZuDWTt3IIBB1+Iy2MZh2YTdiYNxFKsWAh+/A4+JUC0q82RqcfSFIQDNC+ZSjnHzWEk/vx2jvsg6DQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR11MB7059
X-Proofpoint-ORIG-GUID: zQvnTfq4QVw5SpOm4cibNilcCGHqWzXV
X-Proofpoint-GUID: zQvnTfq4QVw5SpOm4cibNilcCGHqWzXV
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-07_13,2023-07-06_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 suspectscore=0 impostorscore=0 spamscore=0 adultscore=0 mlxscore=0 mlxlogscore=999 phishscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2305260000 definitions=main-2307070179
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/JXCdKa2DxSwSIt4299drpV5FCoM>
Subject: Re: [lamps] [EXTERNAL] Current efforts in the direction of draft-truskovsky-lamps-pq-hybrid-x509?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2023 19:30:42 -0000

Iyán,

This is interesting timing,

Corey's message earlier today introduced our new draft, which is a slightly different approach to the Hybrid Catalyst problem:
https://datatracker.ietf.org/doc/draft-bonnell-lamps-chameleon-certs/   I copied his message below:

Cheers,

John Gray


From: Spasm <spasm-bounces@ietf.org> On Behalf Of Corey Bonnell
Sent: Friday, July 7, 2023 8:11 AM
To: LAMPS WG <spasm@ietf.org>
Subject: [EXTERNAL] [lamps] A Mechanism for Encoding Differences in Paired Certificates ("Chameleon Certificates")

Hello,
At the Hackathon at IETF 116 this March, several participants implemented the “Hybrid Catalyst” certificate extension processing initially documented in https://datatracker.ietf.org/doc/html/draft-truskovsky-lamps-pq-hybrid-x509-01 and later standardized in ITU-T X.509 10/2019. This implementation experience led several of us to explore alternative mechanisms to efficiently convey multiple keys and other attributes in a single X.509 certificate. The product of these discussions is the specification a mechanism informally called “Chameleon Certificates” at https://datatracker.ietf.org/doc/draft-bonnell-lamps-chameleon-certs/. The mechanism that we developed allows for the differences between two related certificates to be encoded in a single extension within one of the certificates. Relying parties can then extract the other certificate using the information found in the extension.

The primary use case in mind is algorithm migration, in particular post-quantum algorithm migration. However, the mechanism can also be applied to other use cases, such as efficiently encoding a signing certificate and encryption certificate in one X.509 certificate.

Several folks are already planning to work on implementing this draft at the IETF 117 Hackathon, but we’d like to circulate this draft to this group for initial thoughts.

Thanks,
Corey on behalf of the authors

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Iyán Méndez Veiga
Sent: Friday, July 7, 2023 10:05 AM
To: spasm@ietf.org
Subject: [EXTERNAL] [lamps] Current efforts in the direction of draft-truskovsky-lamps-pq-hybrid-x509?

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
Hello,

I recently found the interesting draft-truskovsky-lamps-pq-hybrid-x509, which I think it would allow a much smoother PQC transition.

Unfortunately, the draft has expired some time ago, and I couldn't find any derivative work apart from a small reference by Mike that this was standardized by ITU-T [1]. I guess he was referring to section 7.2.2 of their
X.509 (10/2019):

https://urldefense.com/v3/__https://www.itu.int/rec/T-REC-X.509-201910-I__;!!FJ-Y8qCqXTj2!dNyWih2XJr-B63kAzEaisQuaTWxwCy2LkamjW-v6YwOHAh1Gv22KC4xXwQtjjjiRUbt7XXRymy4Jd71PYA72a7Cv$

There was also some recent mention to the draft in the IETF 116 Hackathon "PQ Use in the Read world: X.509 Keys, signatures, certificates and protocols", but I couldn't find any details.

It was also pointed out to me [2] that this approach was protected by a patent owned by ISARA, but later it seems they relaxed this restriction [3].

DigiCert seems to be testing this idea as well [4].

Could anyone summarize to me the current status of this work? Why this draft never got updated? Are there any plans to continue working on this with an active draft?

People from the Open Quantum Safe project have shown interest in implementing this, since it's a good approach with a straightforward backwards compatibility, but since changes have to be made to OpenSSL as well, and I quote here "not having this at least in active Draft state at IETF makes this a non-starter".

Looking forward to learning more about the status of this work.

Best regards,
Iyán

[1]: https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/spasm/VJPJXLquDjEjEmRysiGrdsL-Nwc/__;!!FJ-Y8qCqXTj2!dNyWih2XJr-B63kAzEaisQuaTWxwCy2LkamjW-v6YwOHAh1Gv22KC4xXwQtjjjiRUbt7XXRymy4Jd71PYNGV1vCo$
[2]: https://urldefense.com/v3/__https://github.com/open-quantum-safe/oqs-provider/discussions/209__;!!FJ-Y8qCqXTj2!dNyWih2XJr-B63kAzEaisQuaTWxwCy2LkamjW-v6YwOHAh1Gv22KC4xXwQtjjjiRUbt7XXRymy4Jd71PYJUx_S7u$
[3]: https://urldefense.com/v3/__https://www.helpnetsecurity.com/2022/10/26/isara-digital-certificate-patents-quantum-security/__;!!FJ-Y8qCqXTj2!dNyWih2XJr-B63kAzEaisQuaTWxwCy2LkamjW-v6YwOHAh1Gv22KC4xXwQtjjjiRUbt7XXRymy4Jd71PYLKSruV6$
[4]: https://urldefense.com/v3/__https://docs.digicert.com/en/certcentral/certificate-tools/post-quantum-cryptography.html*idm45907393047856__;Iw!!FJ-Y8qCqXTj2!dNyWih2XJr-B63kAzEaisQuaTWxwCy2LkamjW-v6YwOHAh1Gv22KC4xXwQtjjjiRUbt7XXRymy4Jd71PYATBKYee$


_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!dNyWih2XJr-B63kAzEaisQuaTWxwCy2LkamjW-v6YwOHAh1Gv22KC4xXwQtjjjiRUbt7XXRymy4Jd71PYIiMMklq$
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email