Re: [lamps] PQ-composite OR or K-of-N logic
Russ Housley <housley@vigilsec.com> Wed, 27 April 2022 13:44 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86954C23BED7 for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 06:44:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WPHdrIVOf6yj for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 06:44:46 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD80BC23BECA for <spasm@ietf.org>; Wed, 27 Apr 2022 06:43:49 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 8BCFF16EEB9; Wed, 27 Apr 2022 09:43:48 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 72CB316BEF5; Wed, 27 Apr 2022 09:43:48 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_51C43CD5-E2CA-4008-AB25-BEB245B7935E"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Wed, 27 Apr 2022 09:43:46 -0400
In-Reply-To: <ca18a6bf6cb74756ac942fb514c82d78@d-trust.net>
Cc: LAMPS <spasm@ietf.org>
To: "\"Klaußner, Jan\"" <Jan.Klaussner@d-trust.net>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <1312273.1650733310@dooku> <ca18a6bf6cb74756ac942fb514c82d78@d-trust.net>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Q7KAwSFKkW074BggvStbktwfHjU>
Subject: Re: [lamps] PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2022 13:44:47 -0000
Jan: A notary is often used when a signature needs to be verifiable for many decades. RFC 4998 specifies the Evidence Record Syntax (ERS), which can be used to apply additional signatures by a notary. Russ > On Apr 27, 2022, at 4:36 AM, Klaußner, Jan <Jan.Klaussner@d-trust.net> wrote: > > Hi all, > > First I completely agree with Michaels view on verification policies. > Especially in open PKIs that are not under control of one company there is a > need to signal how verification should be done. > > On the question about use cases beside the PQ transition: We believe there > is a high probability that new algorithms are successfully attacked during > the next decades. > > Therefore we want establish some agility in an PKI to more easily switch > algorithms without an immediate PKI rollover. In our case we are also > talking about use cases for document signing or long term encryption, where > digital signatures need to be valid for longer periods, sometimes up to 50 > years. > > So in case one algorithm is broken, the documents still remain secure/valid. > There would be an immediate need to reconfigure or update verifier/signing > software not to use this algorithm anymore, but there is some more time to > replace the algorithm in the PKI. > Once again, this is even more important in an open PKI. > > The k-of-n mode here is providing this agility and also the increased > security of the AND mode, simply put. > > I hope our point is now more clear to the group > > Br > Jan >> -----Ursprüngliche Nachricht----- >> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Michael Richardson >> Gesendet: Samstag, 23. April 2022 19:02 >> An: LAMPS <spasm@ietf.org> >> Betreff: Re: [lamps] PQ-composite OR or K-of-N logic >> >> >> I read through the list and the slides. I couldn't be at the meeting on >> Wednesday as I was travelling. >> >> The document starts off with: >> "Even after the migration period, it may be advantageous for an entity's >> cryptographic identity to be composed of multiple public-key > algorithms." >> >> Panos and a few others have complained that the document attempts to >> have signers tell verifiers what to do, and this should really a verifier > policy. >> Well, that would make a lot of sense for a CMS signature on your Mortgage, >> or your MUA verifying my email. >> >> But, signers REGULARLY tell verifiers what they've done and how to verify >> things, and that's in the context of Certificates. We have all these > policy >> OIDs, and CSPs, and Path Constraints, and ... These are all signals from > the >> signer to the verifier. The verifier can, of course, have a policy that > says that >> they ignore CSPs or Path Constraints, or... >> >> I guess that the k-of-n part was in the slides only, as it's not in the > document >> that I could see. >> >> I go back to the text I quoted above, and thinking about k-of-n. >> I'm thinking that if there are more uses for the Composite-Or and >> Composite-AND structures than *just* PQ transition, that the ROI on >> implementing them may be much higher. And thus the likelyhood that we'll >> discovery and fix bugs relating to the new constructs is much higher. >> >> I think that we can agree that the last thing we want is a widespread bug > in >> validation, at the point where we find it critical to transition. >> >> ps: I giggled when I read ~~~ BEGIN EDNOTE 10~~~ >> >> >> >> >> >> -- >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works >> -= IPv6 IoT consulting =- >> >> > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Serge Mister
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Serge Mister
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Michael Richardson
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Santosh Chokhani
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Carl Wallace
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Santosh Chokhani
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Jenkins
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Tadahiko Ito
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley