Re: [lamps] Hybrid pkix isn't needed

Watson Ladd <watsonbladd@gmail.com> Mon, 30 January 2023 18:49 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D778C17CEA9 for <spasm@ietfa.amsl.com>; Mon, 30 Jan 2023 10:49:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id saXQVCq9FVoI for <spasm@ietfa.amsl.com>; Mon, 30 Jan 2023 10:49:44 -0800 (PST)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A831DC19E10F for <spasm@ietf.org>; Mon, 30 Jan 2023 10:49:44 -0800 (PST)
Received: by mail-oi1-x22e.google.com with SMTP id o66so10876240oia.6 for <spasm@ietf.org>; Mon, 30 Jan 2023 10:49:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=RBwmFb1pgEH3MQjsmQIi//G5iVX6Gtf31SgbfzTpV8E=; b=WVBEyrzElJqBDzAUViIowH2fT9j/w+cO744BBKtfUDQXKI8lxwb0JhuDUWWNtFQVwH BUZM7xMOrMF0y8038DdfV5NGjsvfdnoVS96PaLOwdmBApQME1y1F4TXiEFTH+sbxt6ri jBhTb0LLfQgPbqcFzWb7ITMvDFd08uL7LMdHo3AlpsutVZdz2cOv8qqEBT7zWfEKagOO 70xmDjhsfVYyW6232oQtt6pKLN2qJMqs2uUbUvbC9w0WawUj5Nb3d0M6qt0qFNSKa2yG etALA9ZsnqnUbBGUOgggeSCjjKOl2bSUpQOcSolxSQBM9xQDhLkNFjRZdxHQI0v/52X5 xlHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RBwmFb1pgEH3MQjsmQIi//G5iVX6Gtf31SgbfzTpV8E=; b=IVxeWgJ4QWEoHhOz+zxt0jiLafdFAcfJTmh7eSJ74BQyA+IUsxVS1ie2K87H/RaVGV cZGXA5OG0BbpJf0sELE8CCxtPIID513xZHunLlLoS5Bc5duGK3JI3iXvMNq9yOzUpoK9 KdVgfhlkNv+RIXkjTEcCcAVj+Rxd+EnJ/6O6le4MEB6pgzmSX8nNGJD7Hi+8dj+PcGdh S0z7Lnk0DRm7LebPPj7IjvIkftoQKju1ojBfkA8lj2riMA6iGtbCBpZPLYGIteSY1eDa PDwSAy6vVAm6kz0om5L4ykwNZxzj53OXa296HU6t1dk0ClNi2d3jH03tyEVXeEE1IS57 /V8A==
X-Gm-Message-State: AFqh2kpAaReCDZqBW8J7GZoKdE7xYrUtUaAqeEMvgo0aEXQMENG/br7n /DDdfedkzE/+yQp/6RxxIXSJk1TUI7qYIdPtukqhj1Ys
X-Google-Smtp-Source: AMrXdXspCjgfPaHeM8evKIm7MJ+ExdLZWaxhXbfy/AnAIB9R2VJnnJqGMuFpKl1NplQsYswzwvz9blNhnEaIvTehVs4=
X-Received: by 2002:aca:b40a:0:b0:35e:166c:193b with SMTP id d10-20020acab40a000000b0035e166c193bmr3695201oif.84.1675104583620; Mon, 30 Jan 2023 10:49:43 -0800 (PST)
MIME-Version: 1.0
References: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com> <DS7PR12MB5983E36300151BFC47E5CB34AAD39@DS7PR12MB5983.namprd12.prod.outlook.com> <CH0PR11MB57392033396F181A9853FAD79FD39@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57392033396F181A9853FAD79FD39@CH0PR11MB5739.namprd11.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 30 Jan 2023 10:49:32 -0800
Message-ID: <CACsn0c=n5TLZRywpRCQhpyoxX65OfA9p6e5iz9jKnnEVSX4zmQ@mail.gmail.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Michael Markowitz <markowitz=40infoseccorp.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/LZavIftLwnaT2M4PuB3BEczKHfE>
Subject: Re: [lamps] Hybrid pkix isn't needed
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2023 18:49:45 -0000

On Mon, Jan 30, 2023 at 10:30 AM Mike Ounsworth
<Mike.Ounsworth@entrust.com> wrote:
<snip>

>
>
> For TLS or IKEv2, yes, signatures are less urgent than encryption, but in general you know that you’re fighting a losing battle here, right? Especially since the NSA in their CNSA 2.0 have marked code-signing as the most urgent use case to migrate to PQC. The idea is that a device will leave your manufacturing facility with a burned-in trust anchor that it should use for validating future firmware patches. For good reason you can’t change trust anchors in the field, so we need to make sure those algorithms are going to stand the test of time for the lifetime of the device.

In that case what's the point of hybridization: you need very high
security due to lack of updates, you're not signing very much, so XMSS
or another hashed based scheme is the obvious choice. Just issue those
certs, rather than add complex behavior to find some other cert in the
chain to actually use. Although I do wonder what happens when the key
you use leaks.

>
>
>
> Another example is PDF signing; if I can factor the signer’s private key so I can modify and re-sign the PDF then what’s stopping me from also back-dating the timestamps?
>
>
>
> Yet another is S/MIME email certificates: you need PQ CAs before you can issue PQ encryption certs.

Why? There's nothing wrong with mixed algorithms in a chain. The
bigger issue here is root program policies about what can be signed.