Re: [lamps] Hybrid pkix isn't needed

Mike Ounsworth <Mike.Ounsworth@entrust.com> Mon, 30 January 2023 18:30 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1324CC14F6EB for <spasm@ietfa.amsl.com>; Mon, 30 Jan 2023 10:30:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIwV9svtOYYL for <spasm@ietfa.amsl.com>; Mon, 30 Jan 2023 10:30:11 -0800 (PST)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F901C15C509 for <spasm@ietf.org>; Mon, 30 Jan 2023 10:30:10 -0800 (PST)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 30UGfYQ1004773; Mon, 30 Jan 2023 12:30:08 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=RmQvpEbXGuUgLnIMoaod57PgDQbq2X9tlNhI84KHWJ8=; b=VqGqyoKofX35T9ZNRt68ZTfhGYfx1WfAreuBwz5nPaNTFZIZDC/8gzGxW8i5NG1ckYyH /wW94BBoFPCstROerwTIoU9HpdY3kYCmzCG3wtnL9o2uU1HdrTSC/n3UlraAkgfGWgt8 DMJOrtZucxhaBcdpE/418dK/wwBEn1vx4yE26Z7qlmzrMeMQm7HLoPAgdlbrSKfRiA1O NROy4U8Sj6UZDae7twMQpEGQ2o8lNz8/69GsCs8HoMMO4fTB8jZGwzc+T/wieP5ZQ1Ax 4Y/Bcu/N8VVTfkSoORb2lcpfi0G+TS2cENjVcz2UQ/3/jJ8D3iKWyvAxjst00+gPjoE1 Pg==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2173.outbound.protection.outlook.com [104.47.56.173]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3ncyjur9ny-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 30 Jan 2023 12:30:07 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OJa667NiEVhnNVpNxS1ajpgP1R8GcsfPByBQ+mhRLMXYC+pm4vIjJpe2m2RJWu8+C3uwgwH/Edy7ZncqnqvDKxsZGglvSZtuKXiftp+XMD3cLMTTZAQ3IJ5s0BLJKmb0FxVLbMHIMIJgE8BikVlmHH7mot4VSy1bfQ8kiTgGn6cqcWGVV457W16Cbte2gWt5BxGoMZMWqvR7Y2bpHqs3WRApnW8j9EXFVKcr1Ml8HYUS/iNlrki0A61wtp7WyLYRYX7mZtkuwgnBUV6VrfR0B3pLN2m5bLR3SSV4lnD8Cb9n8Z0XkNLjtyKpj2jg5iIa7cqORZKB6T0h6yxNZeZNMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RmQvpEbXGuUgLnIMoaod57PgDQbq2X9tlNhI84KHWJ8=; b=QncpwV6ZjRT68t5k/G6nTSlqVq4QzhpsTnxTvsC5pwR+bLFGNKKkleUMASXp6kyr6lQxC8wNGiGmr7iy2NGoo4P27Ue72tPhar0WCHKM6z0MwvHuwLEptUlAQdT4J+Lh3qAxWyISLuNGrEAVGqoxncWADx/u2ahKiVq8rRkDIV6my+Ft9U6u1KcvKUtqs1vbD4LoclCU02Zm273XWiJUjq74SmKdgpI6C76MOGjjP3uf6Am5UCtJzUJy8OHPDqfXZlXypPDM6gzZjmcWYdXNaNdmKjDDBhpyjGnxcyVG8nrlcrDKOMxfuthkPtS0z+zQcix2EGZ6RbMuFzn45KomCA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by MW3PR11MB4747.namprd11.prod.outlook.com (2603:10b6:303:2f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.33; Mon, 30 Jan 2023 18:30:02 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::3000:a478:192a:3860]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::3000:a478:192a:3860%4]) with mapi id 15.20.6043.036; Mon, 30 Jan 2023 18:30:01 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Michael Markowitz <markowitz=40infoseccorp.com@dmarc.ietf.org>, Watson Ladd <watsonbladd@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Hybrid pkix isn't needed
Thread-Index: AQHZNEYdLfcavEmiTECHyprDlQzdea63RJYg
Date: Mon, 30 Jan 2023 18:30:01 +0000
Message-ID: <CH0PR11MB57392033396F181A9853FAD79FD39@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com> <DS7PR12MB5983E36300151BFC47E5CB34AAD39@DS7PR12MB5983.namprd12.prod.outlook.com>
In-Reply-To: <DS7PR12MB5983E36300151BFC47E5CB34AAD39@DS7PR12MB5983.namprd12.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|MW3PR11MB4747:EE_
x-ms-office365-filtering-correlation-id: 13a28d3c-355d-4a91-88e9-08db02f00003
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yk7f6dlIeVLuawLeT1bkEIGCuUUw6B5m/fOXgWCXolgBMGkb4o8GdWLzVsxoOzg4YAlaDA1g+VPvwnJYqptaMQNOyAtMfhuM4zCaAR1Iru6g69PhNQTyb/fTLgeuQiAVxNv0qKj11m1JcMaqYLXlmBFiNg9LGCrN7JU5ORVKe2eb9zj7YXHWowNUWASt5/dj+jFqEfShdULuhn6GisT9EkStT7fog39aY9nevMhFdo0VoqEADbpnEF//3rx9TlFZWfUmjDbWeCd7Qxdz3I7Xpj0F/MClQPCugtq+rQULfLI4rU60o5QkTHoecXD20Wtx+1+Pc4iJl1LEsAWhw43AseJ/n78Md+xNfJHMpbb1GBcD7F6w6KGiymVmhRDt2uBtlWFRqNTNejWbiTolh+w/IS6mgm4olFijUqNmuiNIiwnZSw74voGL6RkVX2/OnMNANIu1tkh/+CViQ1ZOG+6OoVR+o9wmbCH70SyPNYBTtZOD6DOMehzgmU8CltiwQWIGU1a76aQOlgPaPvnJFUURPWLqgsu6b+COkPKQjYDx4Qq3WEBDPcbJOATB8uLJLQ7BA346uGZIzkEQfoTu9x3kP34cPSZgIEHe6SyPX1Rc5ScTqATSVWZEOQ3I5v7ZQMXwDgJZLzbY2rLXwLLXa12CEhcPG2+vNKRU/CtSqtUvUWKJMDtN+10yQdlJSM3EoveUZbxBwC06pitzHwpoh7ScUw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(396003)(39860400002)(366004)(136003)(376002)(346002)(451199018)(5660300002)(8936002)(41300700001)(2906002)(64756008)(76116006)(66946007)(66556008)(66446008)(8676002)(316002)(110136005)(66476007)(71200400001)(7696005)(478600001)(53546011)(6506007)(186003)(9686003)(26005)(33656002)(52536014)(83380400001)(55016003)(86362001)(38100700002)(122000001)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dYOW89+Y6Fso4dBlK7EOs2kY1ljCcUxW54VoFUz9AKK2hpOzT6XT27HA1ny6WSS/cVucYFy9Id0zObiN+beLt3qNg47OzLNQnuuIiWLAVNTttBKwjhwitO4NQsKrYoP/HlLjvRxAGBeWjy+tRHjTof5DoiYuQs4PCRFUWxoox3W+b8Ojbr/uAi18gK67muemqLNmz/30ryX58ZbThLN1EiI4PocEFmbMmuTm0dKX69ItCEgdim6BVSggYo597+uvlPEivjvzPHpD/RPpmfzN4QbUs7IcGikbaGYeLjI5qp9vbrCDgMRGRXUZfnFznHPRCrqPXWoLU/OxBYWs/OBYQkzIP2HeBwj3Z3lPHehDNb3jy6RCV4fNvbumF2YHfh2PUaLSykXrSCTvUeQJNXQZHzRrewPOqe/QUfV5kd9ajcAIb8BnHNZiLMC2FUkf0C7YhI1xjdWiuM3S7HHsW/4yZYKpzhqRD9Wj6CfPSnC0zYsmIuKxcPhaIZGOfLOe4QgBasu3PeHCqRgKdSWTEvv76kr7Rex+GV27+y08vuoEBkcBp2d++ludnTVCoHo7HJ35tLJq5h+bG81EKXygxxL0pXpRz16kv9Fdm6oCnvgYzTw+fICsR3AUQWK53ZjsAvcA1bQ7LqHMEyItAtuk5qIKq2ZqWYtoZI1RT5pyFGkQLCeDfAop6qRUYhdE+AfSyopsgxsqu3LldvNIjOs2/4/AfspYMb5olkqsLZLu8OWXvMb23hoJMOYF08tu8if61SRriO5C49Ew5OzU9TueLXA5Ag4PBtSpjSd23RFvL+meigTnOoNbJoDaDUgqdJBrmcNEdrHAwBLjVzEL5NsEr2HHHPZtMOqKo+SKzgESJxtjyGT+u1AV3RxeB45oeqDChB8ufxaI1CwMYcZmCrPo47I88Uxwqn+QT99ooZNExRpven2BbvY5hBWdxcamG1ome8z68iyS06BdGc73znsvlLBAy10DHqnsTSSXxeF62jCh7TlJqdHgVHJrVczREtiVd4sguK0ReHqE69FXdZY3pbFrYvMXef30Ju/gxce3c6OJCxFRuUWRKwcl52zgLJFv/qYpF6HjBLx2odkym09uOzya5x0JF7Agn2yY4CHI3FceMoIaRIGBOvvsmCeNtv6LeWAgp0OmtZ5Pd0G6YUCN9MhfiXnVUDosqoYwNzG5LNpbKU6cnN13C/QCcaV5eBGDmwd6hTjEi5ftHzl49YzussTdmlUBS2eOIwPaz755suQ01dJOtWy2KaHxUuYJ3mPcXYRcW/5hl3v/sDMewuX1p+bg7f1QAkUIYaFkaBfDxTM2xMjFiefl/1SvrfeGRk/Ab5KpojPhRPTp1Igy/irrqheTZ/ZmSNP7HYZIKqTcYc9y83h3j7EakulN9CR1qzqf6qEQfAmguOfmlL9662VsYMyS7nr83SWpHPMyDXr7p5UFJALGI1+vROAVm02TYI3G6pBQaGc4cyslY0HfwjXgjMeMFXKHUC7+Jgj0z9z6omWVpVgWlX4h6LSXTCVtXz/tJQlv+Om4xUf6RMuA9eaV5GkFqndgioYr+/VoQqdT0hvbGpNiA1yeoHqZqZszlRTWPbxK
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB57392033396F181A9853FAD79FD39CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 13a28d3c-355d-4a91-88e9-08db02f00003
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jan 2023 18:30:01.8070 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nUzu+VBWr+lj/Q6Omt7UHKuHJG0tWjkr7fJn99+S7nmKsA9vD3vQjVp2zVL5AX8aEMuGy5Ip7oNVhC0uwKplc0YPqrPC6m8uOQ+uHegz+HU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR11MB4747
X-Proofpoint-ORIG-GUID: uM3yMphwUrkDRMWokzV1hNSOLSSFJvzu
X-Proofpoint-GUID: uM3yMphwUrkDRMWokzV1hNSOLSSFJvzu
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-01-30_17,2023-01-30_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=999 adultscore=0 priorityscore=1501 clxscore=1011 lowpriorityscore=0 malwarescore=0 bulkscore=0 mlxscore=0 spamscore=0 suspectscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2301300176
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/R83WIKVluYCA2p_BBO7ReA_2iv8>
Subject: Re: [lamps] Hybrid pkix isn't needed
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2023 18:30:15 -0000

Watson Ladd said:

> Authentication breaks are not retroactive: a break of an algorithm at a time in the future doesn't threaten the security properties of authentication in the past.

Since you're comparing this with encryption, I'm taking "authentication" here to mean "signature primitives".

For TLS or IKEv2, yes, signatures are less urgent than encryption, but in general you know that you're fighting a losing battle here, right? Especially since the NSA in their CNSA 2.0 have marked code-signing as the most urgent use case to migrate to PQC. The idea is that a device will leave your manufacturing facility with a burned-in trust anchor that it should use for validating future firmware patches. For good reason you can't change trust anchors in the field, so we need to make sure those algorithms are going to stand the test of time for the lifetime of the device.

Another example is PDF signing; if I can factor the signer's private key so I can modify and re-sign the PDF then what's stopping me from also back-dating the timestamps?

Yet another is S/MIME email certificates: you need PQ CAs before you can issue PQ encryption certs.

---
Mike Ounsworth

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael Markowitz
Sent: Sunday, January 29, 2023 6:59 PM
To: Watson Ladd <watsonbladd@gmail.com>; spasm@ietf.org
Subject: [EXTERNAL] Re: [lamps] Hybrid pkix isn't needed

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________

Consider the following scenario:



During enrollment a user obtains a signing cert A. They use A to reauthenticate to their CA and obtain an RSA cert (R1), and then a Kyber cert (K1). Sometime later the same user leverages A to obtain another RSA cert (R2) and another Kyber cert (K2), say with different attributes, from the same CA. Maybe many more RSA and Kyber certs are issued to that user.



Now imagine that -- according to a security policy specified by the CA -- the pair [R1,K1] must be used for certain purposes  in some protocol P involving a hybrid KDF, while R2, K2, etc. are only to be used for other purposes (maybe separately).



What's the easiest way to ensure that a relying application when presented with R1, finds K1 rather than K2 as the other input into P? Sure this could be done in proprietary ways, but an innocuous (non-critical) extension linking the paired keys has a certain elegance. Also note that the user, to participate in P's hybrid KDF, doesn't need to do anything different from what they're already doing classically: they simply present the appropriate RSA cert, R1. It's only the relying (server?) app that must be modified to find K1 and carry out P. Kinda' useful in an enterprise environment in which end-entity certs are easy to update, but existing PKI clients are hard (i.e., expensive) to update -- or to even find!



To your points: a non-critical extension is "optional" -- no one will be forced to do anything with it. And I have trouble imagining another "transition model" that helps a relying server app find K1 rather than K2 without: new info provided by the client, a proprietary repository hack that links paired certs, or worse yet (heaven forbid!), abominable hybrid certs.



-mjm





-----Original Message-----
From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Watson Ladd
Sent: Sunday, January 29, 2023 3:43 PM
To: spasm@ietf.org<mailto:spasm@ietf.org>
Subject: [lamps] Hybrid pkix isn't needed



Dear all,



I don't think linking certs or special provisions for hybrid encryption or authentication are a good idea.  A hybrid encryption scheme should be an encryption scheme with a public and private key, just like any other key you can put in the PKIX.



If for backwards compatibility you want to have multiple kinds of keys just like we do with RSA and ECDSA keys in TLS, just do that! Don't add complexities to try to link them or force people to find both keys at once for an operation. We know that the transition model with multiple unrelated certs works, and we have experience and fixed bugs that resulted. Let's use that instead of have new bugs to fix.



The other thing is hybrid auth is worthless. Authentication breaks are not retroactive: a break of an algorithm at a time in the future doesn't threaten the security properties of authentication in the past. That's different from encryption, where you do potentially want to ensure a new post-quantum algorithm is no worse than a classical one, but the case for it is fairly weak.



Sincerely,

Watson Ladd

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.