Re: [lamps] New drafts available - non-composite hybrid authentication, and binding certs
"Kampanakis, Panos" <kpanos@amazon.com> Wed, 23 March 2022 16:43 UTC
Return-Path: <prvs=074718e62=kpanos@amazon.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 32D213A00E1
for <spasm@ietfa.amsl.com>; Wed, 23 Mar 2022 09:43:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.607
X-Spam-Level:
X-Spam-Status: No, score=-9.607 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01,
URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id vJX59DLHIs2y for <spasm@ietfa.amsl.com>;
Wed, 23 Mar 2022 09:43:42 -0700 (PDT)
Received: from smtp-fw-80006.amazon.com (smtp-fw-80006.amazon.com
[99.78.197.217])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 86C1D3A18DF
for <spasm@ietf.org>; Wed, 23 Mar 2022 09:43:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209;
t=1648053820; x=1679589820;
h=from:to:date:message-id:references:in-reply-to:
mime-version:subject;
bh=khJLQXyBu0txPYf09hvoPgsQtkZF4/n8toHTjpT92JQ=;
b=CyMASEEaRVPwdfEAb/Dt005DcwB8VqS5x7UZOp4NEBYg5mdnAWyMX0Bg
d5OCXiw1RmKrE3PYwfzm/bYMH2aqxSdmOH0pgKeet+LbUzTEx0EcbRoT+
cBZ4883MdX0bT69hRgzqygT8y+Vj8XexJeVa3fK8FPo8sup2qbJzF4Aqg A=;
X-IronPort-AV: E=Sophos; i="5.90,204,1643673600"; d="scan'208,217";
a="73481005"
Thread-Topic: [lamps] New drafts available - non-composite hybrid
authentication, and binding certs
Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO
email-inbound-relay-iad-1e-54c9d11f.us-east-1.amazon.com) ([10.25.36.214])
by smtp-border-fw-80006.pdx80.corp.amazon.com with ESMTP;
23 Mar 2022 16:42:38 +0000
Received: from EX13MTAUWB001.ant.amazon.com
(iad12-ws-svc-p26-lb9-vlan2.iad.amazon.com [10.40.163.34])
by email-inbound-relay-iad-1e-54c9d11f.us-east-1.amazon.com (Postfix) with
ESMTPS id 048AEC0B93; Wed, 23 Mar 2022 16:42:37 +0000 (UTC)
Received: from EX13D01ANC004.ant.amazon.com (10.43.157.237) by
EX13MTAUWB001.ant.amazon.com (10.43.161.249) with Microsoft SMTP Server (TLS)
id 15.0.1497.32; Wed, 23 Mar 2022 16:42:32 +0000
Received: from EX13D01ANC003.ant.amazon.com (10.43.157.68) by
EX13D01ANC004.ant.amazon.com (10.43.157.237) with Microsoft SMTP Server (TLS)
id 15.0.1497.32; Wed, 23 Mar 2022 16:42:32 +0000
Received: from EX13D01ANC003.ant.amazon.com ([10.43.157.68]) by
EX13D01ANC003.ant.amazon.com ([10.43.157.68]) with mapi id 15.00.1497.033;
Wed, 23 Mar 2022 16:42:32 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: "aebecke@uwe.nsa.gov" <aebecke=40uwe.nsa.gov@dmarc.ietf.org>,
"spasm@ietf.org" <spasm@ietf.org>
Thread-Index: AQHYPhZsKWTcCtspaEezW3V04zRZ9qzNE9jw
Date: Wed, 23 Mar 2022 16:42:32 +0000
Message-ID: <6228987854ad47119b86ae1d0ad36ab6@EX13D01ANC003.ant.amazon.com>
References: <SA0PR09MB72412B7DA4F1DDA68A40AD1EF1179@SA0PR09MB7241.namprd09.prod.outlook.com>
In-Reply-To: <SA0PR09MB72412B7DA4F1DDA68A40AD1EF1179@SA0PR09MB7241.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.156.26]
Content-Type: multipart/alternative;
boundary="_000_6228987854ad47119b86ae1d0ad36ab6EX13D01ANC003antamazonc_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Jo5i1eUsKRJnZyPNtlF0RBVPuhs>
Subject: Re: [lamps] New drafts available - non-composite hybrid
authentication, and binding certs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime
\(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>,
<mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>,
<mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 16:43:46 -0000
Thx for the drafts Alie. Regarding draft-becker-guthrie-noncomposite-hybrid-auth<https://datatracker.ietf.org/doc/draft-becker-guthrie-noncomposite-hybrid-auth/> , I guess the advantage of the approach seems to be that if you don't trust the PQ signature yet, you won't have to migrate twice, once with a composite algorithm cert and later with a pure PQ one. I have to point out some disadvantages though compared to the PQ-composite option - there is redundancy in the cert data sent over the wire in the PQ-hybrid case. - the onus is pushed to the transport protocol which now has to do much more than support a new OID. Introducing two OIDs and two PKIs is the PQ-composite option. Not sure how to quantify which is more work. - there is more complexity in tying the two identities together by using the new extension. Imo the discussion becomes what do we consider easier and better to deploy and use, PQ-composite or PQ-noncomposite-hybrid. Rgs, Panos From: Spasm <spasm-bounces@ietf.org> On Behalf Of aebecke@uwe.nsa.gov Sent: Tuesday, March 22, 2022 2:17 PM To: spasm@ietf.org Subject: [EXTERNAL] [lamps] New drafts available - non-composite hybrid authentication, and binding certs CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Hi LAMPS, Two new drafts related to PQ migration are available here (note- these drafts are an update to the talk we gave at IETF112 in November) : https://datatracker.ietf.org/doc/draft-becker-guthrie-cert-binding-for-multi-auth/ and https://datatracker.ietf.org/doc/draft-becker-guthrie-noncomposite-hybrid-auth/ The noncomposite-hybrid-auth-00 draft is an informational draft that gives a general overview of hybrid authentication, and details the solution space of what we are calling non-composite type hybrid solutions for authentication. The cert-binding-for-multi-auth-00 draft defines a new CSR attribute, bindingRequest, and a new X.509 certificate extension, BoundCertificates, which together provide additional assurance that multiple certificates (used in non-composite hybrid authentication) each belong to the same end entity. Please feel free to provide any comments and feedback! Regards, Alie Becker + coauthors Rebecca Guthrie, Mike Jenkins ---- Alison Becker, PhD Center for Cybersecurity Standards National Security Agency
- [lamps] New drafts available - non-composite hybr… aebecke@uwe.nsa.gov
- Re: [lamps] New drafts available - non-composite … Ryan Sleevi
- Re: [lamps] New drafts available - non-composite … Kampanakis, Panos
- Re: [lamps] New drafts available - non-composite … David A. Cooper
- Re: [lamps] New drafts available - non-composite … aebecke@uwe.nsa.gov
- Re: [lamps] New drafts available - non-composite … Ryan Sleevi
- Re: [lamps] New drafts available - non-composite … aebecke@uwe.nsa.gov
- Re: [lamps] New drafts available - non-composite … aebecke@uwe.nsa.gov
- Re: [lamps] New drafts available - non-composite … aebecke@uwe.nsa.gov
- Re: [lamps] New drafts available - non-composite … Michael Richardson
- Re: [lamps] New drafts available - non-composite … Ryan Sleevi
- Re: [lamps] New drafts available - non-composite … aebecke@uwe.nsa.gov
- Re: [lamps] New drafts available - non-composite … Michael Richardson
- Re: [lamps] [EXTERNAL] New drafts available - non… Mike Ounsworth