Re: [lamps] Key usages for composite keys
David Benjamin <davidben@chromium.org> Fri, 09 February 2024 20:39 UTC
Return-Path: <davidben@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 339D6C151532 for <spasm@ietfa.amsl.com>; Fri, 9 Feb 2024 12:39:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.258
X-Spam-Level:
X-Spam-Status: No, score=-14.258 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADyuQfAmzshz for <spasm@ietfa.amsl.com>; Fri, 9 Feb 2024 12:39:00 -0800 (PST)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23013C14F5FF for <spasm@ietf.org>; Fri, 9 Feb 2024 12:38:59 -0800 (PST)
Received: by mail-yb1-xb2c.google.com with SMTP id 3f1490d57ef6-dc7472aa206so1186927276.2 for <spasm@ietf.org>; Fri, 09 Feb 2024 12:38:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1707511138; x=1708115938; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dKekst2oAk7/N0d8fXQKxN/OfnYXq7Or73IyH1bq7LE=; b=igUPhwz4gTdWBpCbhSzWCxWvWPH3/fTIq0aR3zEl7d806HEa6UScewCtxYpqX22aEn qvp2IVI/SuA/AJ5IG6yG/kTkW9soOFeDrRozq4qPLXniKD44Wd5vmK2GdB8TlVvk7p4H Dw9MjgHF40Vl67Hic050XpUpVh666DholL2OI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707511138; x=1708115938; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dKekst2oAk7/N0d8fXQKxN/OfnYXq7Or73IyH1bq7LE=; b=HO5Q2MXLN0o9pDUS+DUmcPm0YHPf7ix5Xd3YhVCqWYT39dexWPoU72KnOz0TWLyKaQ ITzpmR0r6S2MgijVBlhIp3Thmb7AJ/s0mwmWkTwiV/4c1ZcBNjC8E4nWXMW7N17ksddw gB6ToXvlTHw96Ucd3UIrMoPqqjptMTsm2LEST5o8KvLu6GaGr5ZmY7jU4FCYOt0GKOen kwNg/bjxufa9M2QmIV0dsGUQ6te4953VfLHaOGLgHQ6LghaF/KUO8Mgtg3JJibNZLAyW w2h9ewcqfTE7S+DBxATCWlPfqHZk7QawUyGGg9KSlPk+jkqMNbd3gLUkFao3FSeLeH94 1ohA==
X-Gm-Message-State: AOJu0YyP8/jpoVphr2l71CaNTachUAZMx60yk5zceFrBmf0qzj6K3W+Z LLUQV6gjwT4q6qFCOZS2xLKCSNyTQvBZt9Yv8BMtf1huiGDmNemCkr6t4VMYo9StT8ioDnPoRCx xrn/OT/omr1CSelOJp4WB/aT69ko2kTwuY9Gv9gWSkvZFdECP
X-Google-Smtp-Source: AGHT+IGuURf524BtpY1SElLhIAqJqbr4cu5Zx7lki6urrhZgCjaYv5ie/ZQGo4L8J/eHp+k3IuXQk3bRjo0dhwR/Bws=
X-Received: by 2002:a05:6902:18c7:b0:d80:68d1:b826 with SMTP id ck7-20020a05690218c700b00d8068d1b826mr448956ybb.6.1707511137962; Fri, 09 Feb 2024 12:38:57 -0800 (PST)
MIME-Version: 1.0
References: <SN7PR14MB64921DF3F880635EB6C544F2834B2@SN7PR14MB6492.namprd14.prod.outlook.com> <0FA49B52-3515-4730-B432-AA6144452421@vigilsec.com> <SN7PR14MB6492767794E105568CF33253834B2@SN7PR14MB6492.namprd14.prod.outlook.com>
In-Reply-To: <SN7PR14MB6492767794E105568CF33253834B2@SN7PR14MB6492.namprd14.prod.outlook.com>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 09 Feb 2024 15:38:39 -0500
Message-ID: <CAF8qwaAkUYo_YQ0fo8MngqEVfhDuBkSos5-r35ganrPFYBu2CA@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>
Cc: Russ Housley <housley@vigilsec.com>, SPASM <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d4f29e0610f8eae4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Ssk0hTwLm2ao0Fkvxa7jyfdMREg>
Subject: Re: [lamps] Key usages for composite keys
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2024 20:39:04 -0000
I think worrying about intersections and individual components of keys and whatnot are really a consequence of two bad habits around key management and generic combinators: 1. We should think of RSASSA-PSS-SHA256-ML-DSA-65 as a single signature scheme. It happens to be made up of two parts internally, but this is just an implementation detail. Just as ML-DSA-65 happens to use SHA-3 under the hood, but that is just an implementation detail of ML-DSA-65. 2. We should drop this notion of a single key type being good for multiple signature schemes, to say nothing of multiple kinds of algorithms altogether. The way RSA was defined is a historical quirk, which led to endless complexity and cross-protocol problems. You start with the signature scheme, and the signature scheme defines objects, like keys, *specific to that signature scheme*. We should never have had RSA keys but RSASSA-PSS-SHA256 keys. Being able to change the hash without changing the key was a convenient crutch, but we would have been on much more solid ground, and gotten somewhere more robust, had we put that effort into being better at cycling the keys themselves. It's too late now for RSA. Those decisions were made and these bad habits tend to compound. (X.509's SPKI formats end in other protocols and even influence the shapes of cryptographic APIs.) But we should not extend these habits into the future. Once you correct these bad habits, all these questions become implicit. There is no difference between key type and key use. The composite algorithm is just an algorithm and you never use the component keys separately. The signing function then actually matches the mathematical definition and simply takes a key and an input; not a key, an input, a hash function, an MGF function, a salt length, and a PQ composition variant. Not to say we shouldn't clarify things explicitly, because the X.509 world is full of these bad habits, but we should consistently phrase such things with the bad habits corrected. That's the best shot we have to stop perpetuating them. David On Fri, Feb 9, 2024, 13:58 Tim Hollebeek <tim.hollebeek= 40digicert.com@dmarc.ietf.org> wrote: > I think that’s right, but I didn’t see it written down anywhere, though > Mike did point out the spot that I missed where it is said implicitly … > > > > -Tim > > > > *From:* Russ Housley <housley@vigilsec.com> > *Sent:* Friday, February 9, 2024 1:57 PM > *To:* Tim Hollebeek <tim.hollebeek@digicert.com> > *Cc:* SPASM <spasm@ietf.org> > *Subject:* Re: [lamps] Key usages for composite keys > > > > Tim: > > > > I thought that we already agreed that an RSA key that is used as part of a > composite MUST only be used for that one purpose. So, if it is part of > composite-sig, then it MUST oly be used for a signature operation. > > > > Russ > > > > > > On Feb 9, 2024, at 11:02 AM, Tim Hollebeek < > tim.hollebeek=40digicert.com@dmarc.ietf.org> wrote: > > > > > > Hello, > > > > This is a little off topic and possibly getting ahead of things a little > bit, but it came up in a discussion with our engineers so I thought I’d > float it here. > > > > It’s possible some of this might fit in somewhere in the composite > signature draft, and if the authors agree and can find an appropriate spot > for it I’ll draft some text. > > Otherwise maybe it goes in “PQC for Engineers” or one of the other PQUIP > drafts. > > > > It’s a pretty simple point, but it’s not documented anywhere and it should > be: > > > > RSA can be used for both signing and key encapsulation. > > ML-DSA can be used for signing. > > Composite<RSA, ML-DSA> can be used for … ? > > > > It’s pretty obvious that a composite key can only do what each individual > component key can do, so the key usage is at most the intersection of the > valid key usages of the component keys. > > > > So the correct answer is “signing”. > > > > But this analysis and answer should be written down somewhere so everyone > doesn’t keep having the same question, especially since some people might > come to the wrong answer. > > > > -Tim > > > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] Key usages for composite keys Tim Hollebeek
- Re: [lamps] Key usages for composite keys Tim Hollebeek
- Re: [lamps] Key usages for composite keys Tim Hollebeek
- Re: [lamps] Key usages for composite keys Mike Ounsworth
- Re: [lamps] Key usages for composite keys David Benjamin
- Re: [lamps] Key usages for composite keys Tim Hollebeek
- Re: [lamps] Key usages for composite keys Mike Ounsworth
- Re: [lamps] Key usages for composite keys Tim Hollebeek
- Re: [lamps] Key usages for composite keys Wai Choi
- Re: [lamps] Key usages for composite keys Mike Ounsworth
- Re: [lamps] Key usages for composite keys Russ Housley
- Re: [lamps] Key usages for composite keys Russ Housley
- Re: [lamps] [EXTERNAL] Re: Key usages for composi… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Key usages for composi… Tim Hollebeek
- Re: [lamps] [EXTERNAL] Re: Key usages for composi… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Key usages for composite k… Russ Housley