Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic
"Klaußner, Jan" <Jan.Klaussner@d-trust.net> Tue, 26 April 2022 13:06 UTC
Return-Path: <prvs=1080adf6a=Jan.Klaussner@d-trust.net>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 970CEC06DDB3 for <spasm@ietfa.amsl.com>; Tue, 26 Apr 2022 06:06:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.003
X-Spam-Level:
X-Spam-Status: No, score=0.003 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCpOJb5KY_Xd for <spasm@ietfa.amsl.com>; Tue, 26 Apr 2022 06:06:43 -0700 (PDT)
Received: from mail-out.d-trust.net (mail-out.d-trust.net [213.61.227.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEF4BC157B3E for <spasm@ietf.org>; Tue, 26 Apr 2022 06:06:42 -0700 (PDT)
Received: from progov-n1.bln.d-trust.de (localhost [127.0.0.1]) by progov-n1.bln.d-trust.de (Postfix) with ESMTPS id 86CB62055CB for <spasm@ietf.org>; Tue, 26 Apr 2022 15:06:38 +0200 (CEST)
Received: from dtr-xc-bp01.d-trust.de (lb-107.bln.d-trust.de [192.168.107.250]) by progov-n1.bln.d-trust.de (Postfix) with ESMTPS id 7E4172055CA for <spasm@ietf.org>; Tue, 26 Apr 2022 15:06:38 +0200 (CEST)
From: "Klaußner, Jan" <Jan.Klaussner@d-trust.net>
To: LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic
Thread-Index: AQHYVnYlZeFJKUqQ7UefuaKnjdNVtaz8H5uAgAXg2LA=
Date: Tue, 26 Apr 2022 13:06:38 +0000
Message-ID: <3e58ac8b7d114ec78195a9807f51b7f8@d-trust.net>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <29E39FB1-D8E5-40E9-AFC0-5A8EBBB705DF@vigilsec.com> <DM6PR11MB38025338B4FA3AED0AA99E3196F79@DM6PR11MB3802.namprd11.prod.outlook.com> <DD3C880B-87C5-40A5-99EB-3106BF682635@vigilsec.com>
In-Reply-To: <DD3C880B-87C5-40A5-99EB-3106BF682635@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [172.16.171.98]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0107_01D8597F.396B1F70"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/RliTBtvoGBHDdd3eAtNdVLcxSag>
Subject: Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2022 13:06:47 -0000
Hello all, my impression is that we have different us cases in mind. For a simple authentication having the policy on the relying side is enough. When looking at the key usage for contenCommitment /nonRepudiation it is important for the signer to define under which conditions it can be hold responsible for its signature. This affects in my opinion * how the signature shall be verified and in case we sign a public key * how the key shall be used - for composite keys also how the signature generation and verification is defined Failing to do so can lead to fines e.g. for a CA in case the key is misused. Therefore I am still convinced that the composition algorithm needs to be defined and even bound to the key. Best regards Jan > -----Ursprüngliche Nachricht----- > Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Russ Housley > Gesendet: Freitag, 22. April 2022 20:30 > An: Serge Mister <Serge.Mister@entrust.com> > Cc: LAMPS <spasm@ietf.org>; Kampanakis, Panos > <kpanos=40amazon.com@dmarc.ietf.org> > Betreff: Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic > > Serge: > > RFC 4055 provides a way for an RSA public key to be used with RSA-PSS or > with any flavor of RSA. It is good crypto hygiene to not use the same key > with many different algorithms. However, at the time that RFC 4055 was > written, no one could find an attack if the same RSA private key was used > with RSA-PSS, RSA-OAEP, and PKCS#1 v1.5. > > To me that is quite different situation than K of N, AND, OR, and ANY being > discussed here. > > Russ > > > On Apr 22, 2022, at 2:23 PM, Serge Mister <Serge.Mister@entrust.com> > wrote: > > > > Hello all, > > > > As I mentioned on the call, I'm not fully convinced that deciding which > signatures a relying party must verify is entirely a decision for the relying > party. When an entity obtains a certificate from a CA, signatures verifiable > with the certificate are attributed to the entity named in the certificate. The > certificate holder then wouldn't want a weak key bound to their identity. If a > composite key can be used in "OR" mode, the key is weakened when any of > the algorithms is weakened. > > > > This view is supported I think by RFC 4055 section 1.2 which states that the > rsaEncryption OID implies that "the RSA private key owner does not wish to > limit the use of the public key exclusively to either RSASSA-PSS or RSAES- > OAEP" and also "When the RSA private key owner wishes to limit the use of > the public key exclusively to RSASSA-PSS, then the id-RSASSA-PSS object > identifier MUST be used in the algorithm field within the subject public key > information". > > > > Applying this idea to composite, and in line with the idea that it is the > signature algorithm that should dictate whether signing and verification > require all or only some of the component signatures to be > generated/verified, I'm picturing that we could have: > > > > - An OID that identifies a composite public key, that is agnostic to how > those keys are used (similar to rsaEncryption) > > - OIDs that identify specific signature algorithms, possibly with parameters, > that could be specified in SubjectPublicKeyInfo and would then limit use of > the composite key to that signature algorithm (and specified parameters, if > they are specified). > > > > The latter OIDs would also be used in SignatureAlgorithm fields. > > > > Serge > > > > -----Original Message----- > > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley > > Sent: Friday, April 22, 2022 12:41 PM > > To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org> > > Cc: LAMPS <spasm@ietf.org> > > Subject: [EXTERNAL] Re: [lamps] PQ-composite OR or K-of-N logic > > > > WARNING: This email originated outside of Entrust. > > DO NOT CLICK links or attachments unless you trust the sender and know > the content is safe. > > > > > __________________________________________________________ > ____________ > > (No hats) > > > > On the call, many people expressed concern that the approach in the I-D > tries to bind the signature verification policy to a public key. These people > prefer an approach where the relying party applies their own policy. I tend > to agree that the verifier should determine the policy. > > > > Russ > > > >> On Apr 21, 2022, at 11:00 PM, Kampanakis, Panos > <kpanos=40amazon.com@dmarc.ietf.org> wrote: > >> > >> Hi all, > >> > >> This was discussed in the interim meeting yesterday, but I promised to > also bring it up to the list. > >> > >> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft- > ounsworth-pq-composite-sigs/__;!!FJ-Y8qCqXTj2!ffo5wF8YG-Y6- > Yy18R5u7wBsVKkWkyeR7qUlRxq7XBZvfx0AboetFja4fsrL- > voFL9twTLwMovXZX-7WEwPpKF88kw$ includes a Composite-OR and a > Composite-OR-Legacy mode. And Mike also mentioned K-of-N logic in the > meeting. These allow for the signer to define the verification logic of the > composite signature. As many pointed out in the interim meeting yesterday, > it is counter intuitive for the signer to tell the verifier what to verify. If the > verifier does not trust one of the signatures in the composite signature it can > make a decision on what to do based on its policy. It could fail unless all sigs > verify or do something else. > >> > >> Adding granularity in the signature to tell the signer what to do not only > changes what we know and use today, but it also opens cans of worms with > complexity and mistakes that could happen in implementations. > >> > >> I suggest to just define one mode. That is a composite sig is two > signatures of the same thing with two algorithms using two keys. The signer > is supposed to verify the composite signature. How it does that is beyond > this draft. > >> > >> Rgs, > >> Panos > > > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm > __;!!FJ-Y8qCqXTj2!ffo5wF8YG-Y6- > Yy18R5u7wBsVKkWkyeR7qUlRxq7XBZvfx0AboetFja4fsrL- > voFL9twTLwMovXZX-7WEwMko2CdcA$ > > Any email and files/attachments transmitted with it are confidential and > are intended solely for the use of the individual or entity to whom they are > addressed. If this message has been sent to you in error, you must not copy, > distribute or disclose of the information it contains. Please notify Entrust > immediately and delete the message from your system. > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Serge Mister
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Serge Mister
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Michael Richardson
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Santosh Chokhani
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Carl Wallace
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Santosh Chokhani
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Jenkins
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Tadahiko Ito
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley