IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic

"Klaußner, Jan" <Jan.Klaussner@d-trust.net> Tue, 26 April 2022 13:06 UTC

Return-Path: <prvs=1080adf6a=Jan.Klaussner@d-trust.net>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 970CEC06DDB3 for <spasm@ietfa.amsl.com>; Tue, 26 Apr 2022 06:06:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.003
X-Spam-Level:
X-Spam-Status: No, score=0.003 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCpOJb5KY_Xd for <spasm@ietfa.amsl.com>; Tue, 26 Apr 2022 06:06:43 -0700 (PDT)
Received: from mail-out.d-trust.net (mail-out.d-trust.net [213.61.227.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEF4BC157B3E for <spasm@ietf.org>; Tue, 26 Apr 2022 06:06:42 -0700 (PDT)
Received: from progov-n1.bln.d-trust.de (localhost [127.0.0.1]) by progov-n1.bln.d-trust.de (Postfix) with ESMTPS id 86CB62055CB for <spasm@ietf.org>; Tue, 26 Apr 2022 15:06:38 +0200 (CEST)
Received: from dtr-xc-bp01.d-trust.de (lb-107.bln.d-trust.de [192.168.107.250]) by progov-n1.bln.d-trust.de (Postfix) with ESMTPS id 7E4172055CA for <spasm@ietf.org>; Tue, 26 Apr 2022 15:06:38 +0200 (CEST)
From: "Klaußner, Jan" <Jan.Klaussner@d-trust.net>
To: LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic
Thread-Index: AQHYVnYlZeFJKUqQ7UefuaKnjdNVtaz8H5uAgAXg2LA=
Date: Tue, 26 Apr 2022 13:06:38 +0000
Message-ID: <3e58ac8b7d114ec78195a9807f51b7f8@d-trust.net>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <29E39FB1-D8E5-40E9-AFC0-5A8EBBB705DF@vigilsec.com> <DM6PR11MB38025338B4FA3AED0AA99E3196F79@DM6PR11MB3802.namprd11.prod.outlook.com> <DD3C880B-87C5-40A5-99EB-3106BF682635@vigilsec.com>
In-Reply-To: <DD3C880B-87C5-40A5-99EB-3106BF682635@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [172.16.171.98]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0107_01D8597F.396B1F70"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/RliTBtvoGBHDdd3eAtNdVLcxSag>
Subject: Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2022 13:06:47 -0000

Hello all,

my impression is that we have different us cases in mind. For a simple
authentication having the policy on the relying side is enough.

When looking at the key usage for contenCommitment /nonRepudiation it is
important for the signer to define under which conditions it can be hold
responsible for its signature.
This affects in my opinion
* how the signature shall be verified
and in case we sign a public key
* how the key shall be used - for composite keys also how the signature
generation and verification is defined
Failing to do so can lead to fines e.g. for a CA in case the key is misused.

Therefore I am still convinced that the composition algorithm needs to be
defined and even bound to the key.

Best regards
Jan

> -----Ursprüngliche Nachricht-----
> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Russ Housley
> Gesendet: Freitag, 22. April 2022 20:30
> An: Serge Mister <Serge.Mister@entrust.com>
> Cc: LAMPS <spasm@ietf.org>; Kampanakis, Panos
> <kpanos=40amazon.com@dmarc.ietf.org>
> Betreff: Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic
> 
> Serge:
> 
> RFC 4055 provides a way for an RSA public key to be used with RSA-PSS or
> with any flavor of RSA.  It is good crypto hygiene to not use the same key
> with many different algorithms.  However, at the time that RFC 4055 was
> written, no one could find an attack if the same RSA private key was used
> with RSA-PSS, RSA-OAEP, and PKCS#1 v1.5.
> 
> To me that is quite different situation than K of N, AND, OR, and ANY
being
> discussed here.
> 
> Russ
> 
> > On Apr 22, 2022, at 2:23 PM, Serge Mister <Serge.Mister@entrust.com>
> wrote:
> >
> > Hello all,
> >
> > As I mentioned on the call, I'm not fully convinced that deciding which
> signatures a relying party must verify is entirely a decision for the
relying
> party.  When an entity obtains a certificate from a CA, signatures
verifiable
> with the certificate are attributed to the entity named in the
certificate.  The
> certificate holder then wouldn't want a weak key bound to their identity.
If a
> composite key can be used in "OR" mode, the key is weakened when any of
> the algorithms is weakened.
> >
> > This view is supported I think by RFC 4055 section 1.2 which states that
the
> rsaEncryption OID implies that "the RSA private key owner does not wish to
> limit the use of the public key exclusively to either RSASSA-PSS or RSAES-
> OAEP" and also "When the RSA private key owner wishes to limit the use of
> the public key exclusively to RSASSA-PSS, then the id-RSASSA-PSS object
> identifier MUST be used in the algorithm field within the subject public
key
> information".
> >
> > Applying this idea to composite, and in line with the idea that it is
the
> signature algorithm that should dictate whether signing and verification
> require all or only some of the component signatures to be
> generated/verified, I'm picturing that we could have:
> >
> >  - An OID that identifies a composite public key, that is agnostic to
how
> those keys are used (similar to rsaEncryption)
> >  - OIDs that identify specific signature algorithms, possibly with
parameters,
> that could be specified in SubjectPublicKeyInfo and would then limit use
of
> the composite key to that signature algorithm (and specified parameters,
if
> they are specified).
> >
> > The latter OIDs would also be used in SignatureAlgorithm fields.
> >
> > Serge
> >
> > -----Original Message-----
> > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> > Sent: Friday, April 22, 2022 12:41 PM
> > To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org>
> > Cc: LAMPS <spasm@ietf.org>
> > Subject: [EXTERNAL] Re: [lamps] PQ-composite OR or K-of-N logic
> >
> > WARNING: This email originated outside of Entrust.
> > DO NOT CLICK links or attachments unless you trust the sender and know
> the content is safe.
> >
> >
> __________________________________________________________
> ____________
> > (No hats)
> >
> > On the call, many people expressed concern that the approach in the I-D
> tries to bind the signature verification policy to a public key.  These
people
> prefer an approach where the relying party applies their own policy.  I
tend
> to agree that the verifier should determine the policy.
> >
> > Russ
> >
> >> On Apr 21, 2022, at 11:00 PM, Kampanakis, Panos
> <kpanos=40amazon.com@dmarc.ietf.org> wrote:
> >>
> >> Hi all,
> >>
> >> This was discussed in the interim meeting yesterday, but I promised to
> also bring it up to the list.
> >>
> >> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-
> ounsworth-pq-composite-sigs/__;!!FJ-Y8qCqXTj2!ffo5wF8YG-Y6-
> Yy18R5u7wBsVKkWkyeR7qUlRxq7XBZvfx0AboetFja4fsrL-
> voFL9twTLwMovXZX-7WEwPpKF88kw$  includes a Composite-OR and a
> Composite-OR-Legacy mode. And Mike also mentioned K-of-N logic in the
> meeting. These allow for the signer to define the verification logic of
the
> composite signature. As many pointed out in the interim meeting yesterday,
> it is counter intuitive for the signer to tell the verifier what to
verify. If the
> verifier does not trust one of the signatures in the composite signature
it can
> make a decision on what to do based on its policy. It could fail unless
all sigs
> verify or do something else.
> >>
> >> Adding granularity in the signature to tell the signer what to do not
only
> changes what we know and use today, but it also opens cans of worms with
> complexity and mistakes that could happen in implementations.
> >>
> >> I suggest to just define one mode. That is a composite sig is two
> signatures of the same thing with two algorithms using two keys. The
signer
> is supposed to verify the composite signature. How it does that is beyond
> this draft.
> >>
> >> Rgs,
> >> Panos
> >
> > _______________________________________________
> > Spasm mailing list
> > Spasm@ietf.org
> >
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm
> __;!!FJ-Y8qCqXTj2!ffo5wF8YG-Y6-
> Yy18R5u7wBsVKkWkyeR7qUlRxq7XBZvfx0AboetFja4fsrL-
> voFL9twTLwMovXZX-7WEwMko2CdcA$
> > Any email and files/attachments transmitted with it are confidential and
> are intended solely for the use of the individual or entity to whom they
are
> addressed. If this message has been sent to you in error, you must not
copy,
> distribute or disclose of the information it contains. Please notify
Entrust
> immediately and delete the message from your system.
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email