IETF Logo Mail Archive

Re: [lamps] Proposed addition of hash-based signature algorithms for certificates to the LAMPS charter

Adam Langley <agl@imperialviolet.org> Sat, 10 November 2018 16:29 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F441124408 for <spasm@ietfa.amsl.com>; Sat, 10 Nov 2018 08:29:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2kUb6Ex6t_4S for <spasm@ietfa.amsl.com>; Sat, 10 Nov 2018 08:29:17 -0800 (PST)
Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42B4812870E for <spasm@ietf.org>; Sat, 10 Nov 2018 08:29:17 -0800 (PST)
Received: by mail-pg1-f181.google.com with SMTP id w3-v6so2148582pgs.11 for <spasm@ietf.org>; Sat, 10 Nov 2018 08:29:17 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=d61QQkBsHWSGA1Rjm2J3KZkxX46oXIlqrWUzhZcuWSo=; b=Crbc4GbRTcuamUfH+LhdndNNXUJ3leQtytFfQcj7UaLkzbpfCh6+aCefeu9cqPjGp+ gQ47pMb/m6DZiCU/xunyY8eD1wIEIL8DT7VeOa9qtxbwdIoWVu9msJvA6Y+cjmSHOa9S UywZgLvkp1+749vSuC0h7VQGhmwtSyLHrDFvDKK3YIF/rf3FI1PDXbXmXyrSYSswVEAg phRDTar4c9MLcREtMUtPHE/XJP22xjS55aBX7HfcyelTHkjxgusA3wVmoK7cG6nE7gHa 6pKA32dNU+dwE3bMsizup+PhAE+UqxUBApWgfoCI9btR+Au6S/CsWE2ccSOTH0sIKeey b6Bg==
X-Gm-Message-State: AGRZ1gLvIXhvQ5XLpDiRCon1fZJkHdLUR2QWjVX4fPpmQKuqGggmW44x +rSoko7Ynz+nY84XrJ5FfVTt/pWdaUHBgSWgVfJGHieC
X-Google-Smtp-Source: AJdET5cUZUt0Zrper2iljsrwxJevkrLmCu191RoRBZGWEkPmcGx+EUs50ks/yUdmLtNuwE3cgqAqCTk2fmbCrEN3nlU=
X-Received: by 2002:a62:d452:: with SMTP id u18-v6mr5248747pfl.32.1541867356381; Sat, 10 Nov 2018 08:29:16 -0800 (PST)
MIME-Version: 1.0
References: <3653FE62-CD11-47D1-A9DB-5C6FF4AD8498@vigilsec.com> <CAMfhd9WiqpH96UVTOxmeu50yw5N0ACtxk+5X3dax7tnT_+wpbQ@mail.gmail.com> <ec229e21-86b1-a5bd-c31d-d9977f91f479@openca.org>
In-Reply-To: <ec229e21-86b1-a5bd-c31d-d9977f91f479@openca.org>
From: Adam Langley <agl@imperialviolet.org>
Date: Sat, 10 Nov 2018 08:29:05 -0800
Message-ID: <CAMfhd9Vz_v7PRcSE+OjSfL38=X4PVmYWZKsV2+7wZ7PSUY3a-A@mail.gmail.com>
To: director@openca.org
Cc: SPASM <spasm@ietf.org>
Content-Type: multipart/related; boundary="00000000000011f389057a51f83a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/SIaNRFKUC_JiqKIedSS5jtXy8d8>
Subject: Re: [lamps] Proposed addition of hash-based signature algorithms for certificates to the LAMPS charter
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Nov 2018 16:29:18 -0000

On Sat, Nov 10, 2018 at 2:35 AM Dr. Pala <director@openca.org> wrote:

> long time no see... are you still on this mailing list ? Are you planning
> to contribute to the working group ? Anyhow, to the technical matter...
>
(I was pointed to thread this by a colleague.)

> I do not understand your position here. The draft is just about defining
> the OIDs, the RFC for the Hash-based signatures is defined elsewhere and I
> think is progressing in its definition and use (e.g.,
> draft-mcgrew-hash-sigs-13, ietf-lamps-cms-hash-sig, etc.), therefore I do
> not think that these objections are relevant for the document at hand.
>
> Can you please provide more *targeted notes about this particular
> document ?*
>
The document mentioned by Russ at the top of the thread
is draft-vangeest-x509-hash-sigs-01. Its title says that it's specifically
about HSS and XMSS, and it continues: "[the] private keys are stateful".

> P.S.: For the point you are raising about stateful schemes are mostly true
> - they are more difficult to handle and we will need to modify interfaces
> and APIs (e.g. PKCS#11) to add the possibility to transfer/update the
> private key status, however this is something we shall prepare to do since
> many QR algorithms tend to be stateful, IMHO. In this sense, stateful
> schemes are (most probably) going to be relevant in many environments.
> Maybe not in browsers, but, as I always try to remind people, browsers !=
> Internet and TLS != PKI (therefore, it might not be relevant to you, but
> they might be relevant in many other environments - e.g., Cable Industry,
> Wireless, etc.). Just my 2 cents...
>
There was been a general, and positive, move over the past decade+ towards
cryptographic primitives that are more robust, e.g. giving people AEADs
rather than a hash and block cipher and telling them to figure it out. I
think the general use of stateful signatures would be counter to this and a
mistake. I don't believe that many QR algorithms are stateful: it's just
the small signatures as far as I'm aware. Stateful hash-based signatures
are useful, but as building blocks of a stateless system.


Cheers

AGL

v2.23.0 | Report a Bug | By Email