IETF Logo Mail Archive

Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01

Russ Housley <housley@vigilsec.com> Sat, 24 September 2022 16:32 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F18C6C14CF17 for <spasm@ietfa.amsl.com>; Sat, 24 Sep 2022 09:32:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JzcqH1iC7prD for <spasm@ietfa.amsl.com>; Sat, 24 Sep 2022 09:32:16 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E096C14F736 for <spasm@ietf.org>; Sat, 24 Sep 2022 09:32:16 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 6853E147D54; Sat, 24 Sep 2022 12:32:15 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 558BB6AE5B; Sat, 24 Sep 2022 12:32:15 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <DM6PR11MB25855892311FC469F512F5B4EA519@DM6PR11MB2585.namprd11.prod.outlook.com>
Date: Sat, 24 Sep 2022 12:32:15 -0400
Cc: LAMPS <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <63DA80CA-2A86-49BC-8819-0F7290F7D4FD@vigilsec.com>
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com> <2b711f2ede13466490ce79f822244f5a@amazon.com> <7C0329F9-EAEF-4046-B47F-301ECF28196C@vigilsec.com> <4bc42baf89d54eecae87d24c9c20bdd2@amazon.com> <DM6PR11MB25855892311FC469F512F5B4EA519@DM6PR11MB2585.namprd11.prod.outlook.com>
To: John Gray <John.Gray@entrust.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.09 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/OvFojKa62a_pmcANzjXeKcRZC8U>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2022 16:32:20 -0000

John:

It makes sense to me that composite signatures are straight forward to implement.

I think that composite key management is more complex, especiall if there is a mix of key transport, key agreement, and KEM.

I think the point of disagreement on this thread is whether a new CA paradigm is needed to include a pointer in one certificate to another certificate.

Russ

> On Sep 23, 2022, at 5:57 PM, John Gray <John.Gray=40entrust.com@dmarc.ietf.org> wrote:
> 
> Just to plus on what Panos has said (as someone who has implemented composite), it is exactly as he says:  I implemented a composite signature algorithm (in Java using the standard Signature APIs), and then to test with protocols I simply allow the protocol (X.509 Certs 5280 validation, CMS, TLS, OCSP, Timestamping, etc) to make use of composite as a Signature algorithm.  I didn't have to touch the core of the protocol implementations (other than to allow them to make use of the composite Signature algorithm).   Since signature algorithms have common API's (keygen(), sign(), verify() and key and signature parameter objects), it is very trivial to plug them into existing protocols.  It is no more difficult to add composite than adding the pure PQ implementations (Dilithium, Falcon, Sphincs+) to existing protocols.  I added those at the same time for prototyping purposes.  Obviously I had to define prototype OIDs to get it all working at this early stage in the standards process, but t
> hose are trivial to change once we have official OIDs.
> 
> Cheers,
> 
> John Gray
> 
> 
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Kampanakis, Panos
> Sent: Friday, September 23, 2022 2:35 PM
> To: Russ Housley <housley@vigilsec.com>
> Cc: LAMPS <spasm@ietf.org>
> Subject: [EXTERNAL] Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
> 
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
> 
> ______________________________________________________________________
> Hi Russ,
> 
> I see composite certs as a new OID to be deployed in X.509 and a new sig algorithm to be negotiated and used in protocols. I see draft-becker-guthrie-cert-binding-for-multi-auth as a new cert issuing paradigm and a bunch of changes for protocols (send two chains, send two signatures, check the two identities to ensure they are proper, etc).
> 
> I don't consider the effort for the protocol changes in the former nearly as complicated as the latter. As for the cert issuing logic changes proposed in draft-becker-guthrie-cert-binding-for-multi-auth, I consider them full of landmines not nearly similar to the ones we deal with today. CAB/F participants could chime in here.
> 
> 
> 
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> Sent: Friday, September 23, 2022 2:23 PM
> To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org>
> Cc: LAMPS <spasm@ietf.org>
> Subject: RE: [EXTERNAL][lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
> 
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
> 
> 
> 
> Panos:
> 
>> Additionally, it has great implications to existing protocols using X.509 for authentication. They would require major changes to introduce double signatures, send over two chains, confirm the signatures are from bound public keys etc.
>> 
>> I understand that the authors' goal was to prevent two PKI migrations, one to PQ-hybrid and one to pure PQ but in my opinion the complexity is not worth it. Folks that are worried about authentication and want PQ support now could use composite in the near-term. Folks that either trust Dilithium, Falcon, or SPHINCS+ already or can wait a few years until they trust them, can just go to pure PQ signatures. These seem better options than going for a brand new complicated paradigm with bound certificates.
> 
> If we believe that PQC and traditional algorithms will be used in combination, then we either need to put multiple public keys in a certificate that have multiple signatures on them, or we need to have a PQC certification path and a traditional certification path.  In both cases, the security protocol needs to be changes to make use of the tradition and PQC public keys.
> 
> The LAMPS charter lets us develop RFCs for both approaches.  The assumption is that both approaches will be deployed in different parts of the Internet.
> 
> When X.509 was developed, it assumed that a Directory would provide the repository for certificates issued to the same subject.  That Directory has not come to pass.  So, this draft is offering a way for the CA to tell where to find other certificates for the same subject.  This is not a new idea.  Please take a look at RFC 5697.
> 
> Russ
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!ajf2_DTVwFXBJ3Ll8lAbSAMGbF40mkSopLwqhhvldT9KMVPRIz9B9gEpxfs9MP77SrKgM5L3_ZnIcBK7Qwp7kaPjloW2iXAW1LHVem8$
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!ajf2_DTVwFXBJ3Ll8lAbSAMGbF40mkSopLwqhhvldT9KMVPRIz9B9gEpxfs9MP77SrKgM5L3_ZnIcBK7Qwp7kaPjloW2iXAW1LHVem8$
> Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.37.1 | Report a Bug | By Email | System Status