Re: [lamps] New Version Notification for draft-massimo-lamps-pq-sig-certificates-00.txt

"Massimo, Jake" <jakemas@amazon.com> Mon, 11 July 2022 21:21 UTC

Return-Path: <prvs=18449ac40=jakemas@amazon.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D96AC18872F for <spasm@ietfa.amsl.com>; Mon, 11 Jul 2022 14:21:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.207
X-Spam-Level:
X-Spam-Status: No, score=-10.207 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7HDqln9OC-Yy for <spasm@ietfa.amsl.com>; Mon, 11 Jul 2022 14:21:26 -0700 (PDT)
Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59EE4C182D6C for <spasm@ietf.org>; Mon, 11 Jul 2022 14:21:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1657574487; x=1689110487; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=/NUtaqUgHkYSx6D75coBk+r1eCUkWvvTCYaJAI4TTyc=; b=qPK3AhCTEpMgU0Vqnl4CR5TJwkIIV3ghTqX3ALyayiWoa23SiZ9nSJ7M 7zLyWboX7jCxTGTexqi5qT7T3DIeXZ71ehXy7Vf+zyRiCf2g7Lp5CDE4I VdOD39mRvZYmFnnoy8R0klh4sZS/7gLGIqPu3bWLhbh/4AQcvfXBg59Nr E=;
X-IronPort-AV: E=Sophos;i="5.92,263,1650931200"; d="scan'208";a="217052393"
Thread-Topic: [lamps] New Version Notification for draft-massimo-lamps-pq-sig-certificates-00.txt
Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-iad-1a-e823fbde.us-east-1.amazon.com) ([10.124.125.6]) by smtp-border-fw-2101.iad2.amazon.com with ESMTP; 11 Jul 2022 21:21:14 +0000
Received: from EX13D46EUA002.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1a-e823fbde.us-east-1.amazon.com (Postfix) with ESMTPS id 435E3C08E1; Mon, 11 Jul 2022 21:21:11 +0000 (UTC)
Received: from EX13D46EUA004.ant.amazon.com (10.43.165.216) by EX13D46EUA002.ant.amazon.com (10.43.165.177) with Microsoft SMTP Server (TLS) id 15.0.1497.36; Mon, 11 Jul 2022 21:21:11 +0000
Received: from EX13D46EUA004.ant.amazon.com ([10.43.165.216]) by EX13D46EUA004.ant.amazon.com ([10.43.165.216]) with mapi id 15.00.1497.036; Mon, 11 Jul 2022 21:21:11 +0000
From: "Massimo, Jake" <jakemas@amazon.com>
To: John Gray <John.Gray=40entrust.com@dmarc.ietf.org>, "Massimo, Jake" <jakemas=40amazon.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
CC: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Russ Housley <housley@vigilsec.com>, Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>
Thread-Index: AQHYlLvUOH6iBTMGFEak1TvQzHXtlK15OXcA
Date: Mon, 11 Jul 2022 21:21:10 +0000
Message-ID: <2FC18312-6EF8-4627-B842-982F03F6C591@amazon.com>
References: <165730536831.38896.16291114694128678237@ietfa.amsl.com> <5E2336DD-1169-4695-BEEA-E3A825982412@amazon.com> <DM6PR11MB2585CB30B5A19BDB39400B95EA879@DM6PR11MB2585.namprd11.prod.outlook.com>
In-Reply-To: <DM6PR11MB2585CB30B5A19BDB39400B95EA879@DM6PR11MB2585.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.165.145]
Content-Type: text/plain; charset="utf-8"
Content-ID: <6BB391E854FA8444B950F75087C3B9FC@amazon.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/QjwPTtRXqKOAABBqBZc1dgttopU>
Subject: Re: [lamps] New Version Notification for draft-massimo-lamps-pq-sig-certificates-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2022 21:21:30 -0000

Hi John, Uri, Russ, Corey,

Thank you for feedback so far, it is greatly appreciated.

    > I am glad to see there are no algorithm parameters.   We have already been doing experiments with Dilithium certificates based on the round 3 candidates, and had to pick our own OIDs (due to lack of standard) and chose NOT to use parameters because we didn't know if there would be any.   So it looks like there won't be a lot of changes required to our early non-standard prototype implementations

I'm glad to hear this. Yes, this is an intentional design decision, the OID should tell you all you need to know.

    > In regards to wrapping the public key in an OCTET_STRING:...

Thank you for kicking off this discussion, I was hoping for feedback in this regard, as I toyed with the historical precedent set by other standards. I'll keep tracking the ongoing discussion in this thread and make changes accordingly. I'll check out RFC 8017 for RSAPublicKey as Russ mentioned.

    > In regards to the Private Key format, I notice you have placed an option to contain the PublicKey inside the private key.  Is this to align with other private key formats like RFC 5915 (Elliptic Curve Private Key)?     With the larger size of these Dilithium keys (and other Post Quantum Keys), I think there would be less appetite for including the public key inside the private key.   

This raises a good point. Yes I was trying to align with other private key formats, but as you say, with the larger sizes of PQ keys it may further escalate the issues surrounding the large increase in key sizes across all PQ algorithms.

   > In section 5, you have this sentence:...

You are correct, this is an error I will fix accordingly - good spot!

Thanks again for the feedback so far,
Jake


---------

On 10/07/2022, 17:19, "Spasm on behalf of John Gray" <spasm-bounces@ietf.org on behalf of John.Gray=40entrust.com@dmarc.ietf.org> wrote:

    CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

    Thank you for posting this draft.   It looks very well formed, almost as if you were just waiting for an announcement to be made...  😊

    I am glad to see there are no algorithm parameters.   We have already been doing experiments with Dilithium certificates based on the round 3 candidates, and had to pick our own OIDs (due to lack of standard) and chose NOT to use parameters because we didn't know if there would be any.   So it looks like there won't be a lot of changes required to our early non-standard prototype implementations.  😊

    That being said, I have a couple of comments:

    In regards to wrapping the public key in an OCTET_STRING:

    The Dilithium public key MUST be encoded using the ASN.1 type
       DilithiumPublicKey:

         DilithiumPublicKey ::= OCTET STRING

    In testing interop with other implementations (openSSL with open quantum safe for example), I noticed they DO NOT wrap the DilithiumPublicKey in an OCTET_STRING.   We did that in our initial implementation, but after going through RFC 5280 again, I don't see a specific need to first wrap the DilithiumKey (or in fact any of the other Post Quantum Signature types such as SPHINCS+ or Falcon) in an OCTET_STRING as that OCTET_STRING then gets wrapped into a BIT STRING as per the SubjectPublicKeyInfo.   You actually save 4 bytes without the wrapping....    In any case our current implementation can handle both ways, but it was something I came across and thought I would ask if there was a specific reason why it needed to be wrapped in an OCTET_STRING?

    This question underlies why we definitely need a standard...   😊


    In regards to the Private Key format, I notice you have placed an option to contain the PublicKey inside the private key.

    DilithiumPrivateKey ::= SEQUENCE {
             rho         BIT STRING,         - nonce/seed
             K           BIT STRING,         - key/seed
             tr          BIT STRING,         - PRF bytes (CRH in spec.)
             s1          BIT STRING,         - vector l
             s2          BIT STRING,         - vector k
             t0          BIT STRING,         - encoded vector
             PublicKey   IMPLICIT DilithiumPublicKey OPTIONAL
         }

     Is this to align with other private key formats like RFC 5915 (Elliptic Curve Private Key)?     With the larger size of these Dilithium keys (and other Post Quantum Keys), I think there would be less appetite for including the public key inside the private key.   If an implementation depends on the public key being there, and it is not there, then I guess it would fail, possibly causing interop issues (I have already come across this with the openSSL - libOQS library as they concatenated the public key in the private key, and our implementation did not).  So I guess with it being optional are you saying implementations MUST accept the key in either format (with the public key included or with no public key included)?


    In section 5, you have this sentence:

    Dilithium public keys are
       optionally distributed in the publicKey field of the PrivateKeyInfo
       structure.

    I think you mean:

    Dilithium public keys are
       optionally distributed in the publicKey field of the DilithiumPrivateKey
       structure.


    The PrivateKeyInfo structure from RFC 5208 does not contain a public key structure:

    PrivateKeyInfo ::= SEQUENCE {
            version                   Version,
            privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
            privateKey                PrivateKey,
            attributes           [0]  IMPLICIT Attributes OPTIONAL }


    Thanks again for putting this draft out so quickly after the NIST announcement!

    Cheers,

    John Gray
    Entrust

    -----Original Message-----
    From: Spasm <spasm-bounces@ietf.org> On Behalf Of Massimo, Jake
    Sent: Friday, July 8, 2022 4:08 PM
    To: spasm@ietf.org
    Subject: [EXTERNAL] [lamps] FW: New Version Notification for draft-massimo-lamps-pq-sig-certificates-00.txt

    WARNING: This email originated outside of Entrust.
    DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

    ______________________________________________________________________
    Hi!

    I'd like to introduce the 00 draft of the I-D we discussed @ IETF 113 (and we will discuss again @ IETF 114) that will document algorithm identifiers and ASN.1 encoding format for NIST's PQC signature algorithms in X.509. As discussed by Sean Turner in the introduction of the I-D draft-turner-lamps-nist-pqc-kem-certificates, we are splitting up the KEMs from the signature algorithms into separate I-Ds. This is the signature algorithm part. We focus on single PQC algorithm rather than hybrid constructions that are covered in other drafts. We are planning to use the algorithm identifiers assigned by NIST. The draft discusses the signature algorithm Dilithium.

    If there are any feedback or comments to the draft in advance to the meeting, feel free to contact me.

    Cheers,
    Jake


    On 08/07/2022, 11:37, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote:

        CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



        A new version of I-D, draft-massimo-lamps-pq-sig-certificates-00.txt
        has been successfully submitted by Jake Massimo and posted to the
        IETF repository.

        Name:           draft-massimo-lamps-pq-sig-certificates
        Revision:       00
        Title:          Algorithms and Identifiers for Post-Quantum Algorithms
        Document date:  2022-07-08
        Group:          Individual Submission
        Pages:          12
        URL:            https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-massimo-lamps-pq-sig-certificates-00.txt__;!!FJ-Y8qCqXTj2!em5Q_A_k1PMQ0W4omwWUauCCeb4EMshOz6mYYWzWzuQkN7W39uZc2n6qACvqm-IoJWr8lOb4JA7PFy5EbwwaOZJYPgTgSdndyJ0lmSg$
        Status:         https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/__;!!FJ-Y8qCqXTj2!em5Q_A_k1PMQ0W4omwWUauCCeb4EMshOz6mYYWzWzuQkN7W39uZc2n6qACvqm-IoJWr8lOb4JA7PFy5EbwwaOZJYPgTgSdnd2kZG978$
        Html:           https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-massimo-lamps-pq-sig-certificates-00.html__;!!FJ-Y8qCqXTj2!em5Q_A_k1PMQ0W4omwWUauCCeb4EMshOz6mYYWzWzuQkN7W39uZc2n6qACvqm-IoJWr8lOb4JA7PFy5EbwwaOZJYPgTgSdnd7ZiJyGA$
        Htmlized:       https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-massimo-lamps-pq-sig-certificates__;!!FJ-Y8qCqXTj2!em5Q_A_k1PMQ0W4omwWUauCCeb4EMshOz6mYYWzWzuQkN7W39uZc2n6qACvqm-IoJWr8lOb4JA7PFy5EbwwaOZJYPgTgSdnd7k9nM9I$


        Abstract:
           Digital signatures are used within X.509 certificates, Certificate
           Revocation Lists (CRLs), and to sign messages.  This document
           describes the conventions for using Dilithium quantum-resistant
           signatures in Internet X.509 certificates and certifiate revocation
           lists.  The conventions for the associated post-quantum signatures,
           subject public keys, and private key are also described.




        The IETF Secretariat



    _______________________________________________
    Spasm mailing list
    Spasm@ietf.org
    https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!em5Q_A_k1PMQ0W4omwWUauCCeb4EMshOz6mYYWzWzuQkN7W39uZc2n6qACvqm-IoJWr8lOb4JA7PFy5EbwwaOZJYPgTgSdnd2gf0i_M$
    Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
    _______________________________________________
    Spasm mailing list
    Spasm@ietf.org
    https://www.ietf.org/mailman/listinfo/spasm