IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: Call for adoption for the composite-related Internet-Drafts

Mike Ounsworth <Mike.Ounsworth@entrust.com> Mon, 05 June 2023 01:15 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAF36C14CE51 for <spasm@ietfa.amsl.com>; Sun, 4 Jun 2023 18:15:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SD4QT5z8WdXn for <spasm@ietfa.amsl.com>; Sun, 4 Jun 2023 18:14:56 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECD01C14CE4D for <spasm@ietf.org>; Sun, 4 Jun 2023 18:14:55 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 355166Oa012764; Sun, 4 Jun 2023 20:14:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=OAO83535XNRIurcWHcYRRV0HVN0bmkrG8gbueakhC7w=; b=UhWUF8Wey3YwIpv1YVGtsuQKHphbPSqClz1q7I77+2B6WYXVCOdk/9+Gys2u5yiPsoxf HjJ3SvkgKf2Bh5UvD61cm0M5gaoYyR/kBP9alM/XDKOA6gX3M6x1MdqyPQVNCXYtSY76 jCLYRSuicgcjDWsaoP/qqgdEpkfJQmet07lP7o0r5olzYhf+qBkPs7FysUvGUgib5gv8 RK2KicEZrbN3wIpA0D26WC0uzr4tGEFe5eYbr0j2eYXTM88PbGfh2S+NERLWJdEb8BAP sgt+wPoSX1DqXLujMhUVwcMVzsVVvnf18FZG4MPmkeIZfFEeiQEksI+vrtPxoERkOWuE Ow==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2174.outbound.protection.outlook.com [104.47.59.174]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3r00gpuwg7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 04 Jun 2023 20:14:51 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jsy80hWfhis35Bv8Nphpnc3FkVCpINrCeEsj0XaFcB1GAnbrDoHarQOMmmJpTgXxYsWRIK2tF5aQGQnf2XfCdZGct+6rvYwUgB3qHKqIw28rni3FptyeeeWiAEJKlclU2iL9S5zLX3sR+mqgJdnAtZWiQ3uDl6WNilMdRuGykwZ8AIBHHwoqU5qIvwV6z89GcNjw6Eo2kwWwaUze5eiQbp0w3Jv/Hy8KJ4GeXeocq7d2NEoPBpew4JMqbiaUGyIioX+la4dN4CziPdoycNcgOkDVYAaAmBm2CBnjsy9lxNT/ZWnNDi6jW/3bRvxCCR/az9XseRXTBPGDoBSlM5NCOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OAO83535XNRIurcWHcYRRV0HVN0bmkrG8gbueakhC7w=; b=OVD6wHzqej3FOZTq+ir7+4RRh0oeeoxdsI9wYGTTJkEhwV5DN5I+c5NTczkyZ5yhGioUmXb7s4j/HiA9N/z3vI6l9OT/cjaneUnHm/K+qbNsfsEZNzjBQgf7LUtYFImdS7aSIPXF6xF+p+Z09IC5VDXVBUUwbFuUMXa4i7QAsY2NuWoQptKJH6gEgqTuCu9dCqFCdpAR7nt8lILORG8BwBpxxwTuKhRB1+QMh1aMCtNrdbVxAwKVMM+6fLeKKAnJh3eMO56Su6hVlcjWm8xbjdq0E9+jZFnUUcFDo9HzVsSO59Rvo4enj4q8fOq6MSZ+0AaoN6w6ZFNZPWENcJGfAw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by MN0PR11MB6110.namprd11.prod.outlook.com (2603:10b6:208:3ce::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6455.32; Mon, 5 Jun 2023 01:14:46 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::4a13:ffbb:95e9:186f]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::4a13:ffbb:95e9:186f%4]) with mapi id 15.20.6455.030; Mon, 5 Jun 2023 01:14:46 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, LAMPS <spasm@ietf.org>
Thread-Topic: [EXTERNAL] Re: [lamps] Call for adoption for the composite-related Internet-Drafts
Thread-Index: AQHZlUJMr0Lm25ahGUe56xrudf89Bq93c3yAgABRt4CAA6OFQA==
Date: Mon, 05 Jun 2023 01:14:46 +0000
Message-ID: <CH0PR11MB5739ABFBC563E8BA7C949D049F4DA@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <C5B6AE84-DF32-4A80-92CF-DD51FB622C20@vigilsec.com> <CACsn0cm6Z_cMs6cNYcpP=Rvin_10Uq=ygPJtw+23m6GPhUZjBA@mail.gmail.com> <5d2de72b016d4f5f9e11af7ae2841dff@d-trust.net> <b68593c3-aff6-6bfa-0151-721e3edc9504@cs.tcd.ie> <21250.1685727001@localhost>
In-Reply-To: <21250.1685727001@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|MN0PR11MB6110:EE_
x-ms-office365-filtering-correlation-id: 960aba1c-9df9-4ced-fb20-08db65624042
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vP9mkX6TWvvcVa1Gq4lS8jOLYlHX98l+C5gsOEL3jOX43h6X78VYwhXmZcIjFQzyIbS1Rwj5QhMsIwQLU9FlPR8MtvtMocoHqJDkSw0vGaiCnsZdgbd0tZI9a83LOIhphNJvsDYdU/Wt5mzs+4BS3RGqOrkRXoEjGkN/zmi5c5xe0qPk/PiD6K/MGnrOcMwBMj9x5aw8OuP4K1O5VE2TKyCDUsiquSJ8SLnzqBH7SwxHuCF6XmvW27RBO8XUzQnSHfQ1NrMuBP3M6YCJblaA0AqHhVSrH2KgI1HWAyOiFCwjXzhABC8jFXMEZiixS7qUvrN3vEUYubXMICDPs3CKWURNWYsl64f97cy5Au7PTXrPUDw6QZkxNpwZtnb2j1PsMyQiAVk6Ck+j1xkB5N8Y3aITo/RRMGc7/GwVpJFZeGT0yK9C9r/jtGHJmTupUB3inWNVzaqKsnx3UUmC3Aw8X4fRrSR+Kv3oei37tQ2T5enRMvcA31fO7weAPblrkZ/88qw5zBqb+Wx4vZLHUgju93rdVXzXrp0u5jNH3aOl32e1nP5osraMselPCslzUZF2bPQY/r2YvFmPNznThxWGXdabnbhiAZyqtOM3HGb1fMappLGFYdjVX2cfbcShqwx8
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(346002)(396003)(136003)(376002)(366004)(39850400004)(451199021)(9686003)(53546011)(6506007)(26005)(66574015)(83380400001)(33656002)(86362001)(38070700005)(122000001)(38100700002)(186003)(55016003)(41300700001)(110136005)(2906002)(478600001)(76116006)(66946007)(66476007)(66556008)(66446008)(64756008)(8936002)(8676002)(316002)(5660300002)(52536014)(7696005)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BcVYQNRxsx8h9SzEhzBdwKEHHxFcHGJPTf5AhTFdzvrWOsdQ8+hwY45MGBQVnWV0sv6X0kgE8s5PsQrlbym+1M6Kt0PteYaypyzQvtKFX+HyEQa8p/FyjJ6mgVOGRkJacO0qsJpDRgQWAIfwY+3VynGDAtZ/CFvK6uaGQKXVt0JTory/reFKvGOpmxntQO+bJqh53ihkPTpLLN8J9EnC7HtxWykJqn/mqe/CrcSVOuw9bYrGE1r/TOswYroG2Zi5jZwaT45HIGA/q8YRheD21r8lQBWrxWRbX/vhEOdPSlN118HYJvxultPqqjnjGjJA4Yv7gjwXuvO2Rb8Ee8r352iKk2fBkUefDdbF3BVG+y959KGF4df+/mxHXXGBoMkDSqiIj7CeDcJuo+uPxKfiBTSfHLFUqFF6qbTwb5RgadjLRaSJ0biWg0jF9x5w/mdsiuZkNh2IsaXMvdks7Yo3yJjl+iTMi+az1mZhB/OfZYXyHORYUcFGUZvBJZ72dQCXhnEoUbQBCT4t6AgDoBp1C55VhaXBzVrt6byWlf8LITZzI9cGScEPVopUO3PaWrpopaOEl1PPMS6dBETYoGHvb5PLpP10e7TM2Jny8IAr+1IH3DLEY3FeNgJtgmuBGxRP0Jb4DIjgqYohZOMRPpxsD6nufjtvHICnPGNBEniKhDut9z0HEU/U26w5LnIVxvNNOGwpvuv00pH1Es9dZ1a0Y9RuQEamId50iMvkkeqgfzoCo/zn1Pj0wx/8lpBR7JRY2IWF630u50h6Gzdux/PcNg2ehVA7kh35cFPc7U74oKpWTaASn2qxAHOm1fGvk5ZuB6fDL7d17/Dfc9kWjEQ6nMtcNMcBMJpSB47FJxvvHMN/tOnbY2EPKILtb/+6GppNdMB8DzJEgp/1rICwm3Jv4/p4rs/hDth9VvwI0zRchyPqdRcUj8t/6HLEPderTlPcFlFkbn2ZSJy7gKN1yf3ALk99K6YuImUc2RbBdTxs0hfWQ0XTR3wTQ3KbME6OI8QKJ+6zjQVjBk1/szZCsQ5KPvpwdCo0us56K6qOZYXhNacfiXyHHnWB4W+KEs9xpNE2TitIxCJGTbG1BNekT+6O5B2Lh1ILKfSpBHusR5j/5sZ4mmHR71KVa0wWsDpK3S6Ello9pJl5p0HJgUVZu8HFIr406uUNMwhGF+FyHhWUCSxmQ7ouDPy4LulBr/OHxUQ2S4KN/zt7iT6mUvrvWrFnojazd38tTEHsdT8afLkeLzGlbAROTTgiEXfU4WUpqX8fCRKNw9r0jtaQ4Dn3RGW+0clgeS9lsvyV6ww5z7AeT9OEuiWNdvF5L0vW8+N98PHAXHweLPWTpcIxa+Skf8pCepCm7VOC/nY5MO/kLecsu/67XryVAYeJvdmd3FOmcWUWpYG/2Og+dpfKhYetUk3awtPLI4+QNZUpoCPGHSSeGOJtg/YMBpqp8DIS7xAbeDGp54nJAVcPeX7QZcx3WW6a1WB9dv6ZTd+CtfqZE0w5EDSqqCLnuLVFN3Un3P1Ol3eiCDQRkKynR+xV8gvbvleZv9ekohl/S9ASppgHrBqidJLwoM0yFwBi5LaIdBuKdocJEX1/rW5DBsrcTZlLEiKLqg==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 960aba1c-9df9-4ced-fb20-08db65624042
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jun 2023 01:14:46.2062 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: F6ogKsmEtpAJz4aEdDNZP6rgSigxWsgtezzHY1eqJ96Xg3rCOIhbFYL+viOZPuHQwi1cX4jlGN9Hyr5Z1AjriUN6/fT+Sz8R7YJJQbUrWx8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN0PR11MB6110
X-Proofpoint-GUID: 9GlUxQXdTW3dR99_sBCJObiMycZu9xtT
X-Proofpoint-ORIG-GUID: 9GlUxQXdTW3dR99_sBCJObiMycZu9xtT
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-03_08,2023-06-02_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 lowpriorityscore=0 clxscore=1015 mlxscore=0 bulkscore=0 adultscore=0 mlxlogscore=999 phishscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2306050009
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/MCsm_fkvVm_dakEJqoKihlrjC9A>
Subject: Re: [lamps] [EXTERNAL] Re: Call for adoption for the composite-related Internet-Drafts
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jun 2023 01:15:00 -0000

Hi Michael,

Thank you for your comments.

> I specifically still don't really understand if composites are AND vs OR, and I know that we had a lot discussion about this last year (or was it 2021?) with some options being that it would depend.

Your confusion is understandable: draft-ounsworth-pq-composite-sigs-00 was Mar 2019, and this proposal has evolved a lot in the past 4 years.
The current draft locks everything down: composites are AND modes of pairs of algs with the algs and parameters specified by the composite OID, for example " id-Dilithium3-ECDSA-P256-SHA256". The exception (ie where there still is some runtime choice) is "id-Dilithium3-RSA-PSS" where both key size and PSS params are left open to runtime choice. If this work gets adopted then we would be happy to discuss that further.

---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Friday, June 2, 2023 12:30 PM
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>; LAMPS <spasm@ietf.org>
Subject: [EXTERNAL] Re: [lamps] Call for adoption for the composite-related Internet-Drafts

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________

Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
    >> With composites in certificates we can mitigate these risks because it
    >> gives us a time window to react, whether it’s a broken algorithm

    > So I don't understand that.

I also have questions, but I think that they could be resolved during the WG process.
I specifically still don't really understand if composites are AND vs OR, and I know that we had a lot discussion about this last year (or was it 2021?) with some options being that it would depend.

    > Let's say if rainbow+ed25519 had been
    > deployed, are you assuming that people would still be willing to accept
    > certificates thusly signed, even after rainbow got busted? ISTM more
    > likely the reaction in that event would be more akin to what happened
    > with heartbleed, which is that end entities would all rush to get new
    > certs without rainbow and rainbow would be disabled entirely by relying
    > parties.

Getting new certificates is a very TLS focused thing, btw.
Manufacturer installed IDevIDs can't do that, nor can SMIME encrypted data on disk, and even >2 level PKIs with subordinate CA certificates are "on disk"

(I also think heartbleed is slight different and slightly easier to recover from, because private keys were disclosed due to no fault in the protocol itself, so there was no code changes required)


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide




Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email