IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: LAMPS Re-charter

Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 25 March 2021 17:12 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AA143A27D6 for <spasm@ietfa.amsl.com>; Thu, 25 Mar 2021 10:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.236
X-Spam-Level: *
X-Spam-Status: No, score=1.236 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oJyOgEZHRKHR for <spasm@ietfa.amsl.com>; Thu, 25 Mar 2021 10:12:15 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 772223A27CD for <spasm@ietf.org>; Thu, 25 Mar 2021 10:12:15 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 12PH9tuw026205; Thu, 25 Mar 2021 12:12:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=b2AqAPNwwbtOzQsYICKb7GqRNUJ3F58z9HpQN6tX8IQ=; b=ZwTW3FenBqknJaq3KWA+J8dlDkEvuDZ8rfKQvp4Ft0zpX0IlCFmgFnysW9+Avl82FvKQ JqroKBfEx75b4Kj6iJROr0GhUj+HW8k2TKHuSjLt5vu6J87w/gzs6zrM+2PX3hFu8Qkr qRRHfucWz38OvNBaoN0BGKvQXaOqZgZzfYHH/mhf6FibfA57Zwe5nyCMqdsqn6ze6/YJ RXZ7jvk1xI7aXLEHW66Akked2ZdjmD1BIWUn/Zw6ir16ITPHS3u7jmIkSjDiXAj1bYGp F2X/aiWNM9GhcyOv3OtwtDLtVBTL40Ar2oYVvpcakLzwQFd5FpWhjtQwHA1jkDaHF3aS LQ==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by mx08-0015a003.pphosted.com with ESMTP id 37dc1rkyu8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 25 Mar 2021 12:12:05 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WtMPevuk9n5DvdWtP5hwv3IW217aQOhKyFNmjMcSmDUSlaEoiOHswnLt8pFbpUWImrowwJqBl0RUYwVtwACYIoSwaZMM8A9W075vZLJ0Kem8EuP/p3qnXuCQe6s2Ab8bsnFwjrkklQtYlOwEw9R5yZFxGintuldtaZF5HHG/Zze1jcWFZKQ1vaDb6wLr4V2GoWsGbK3YY6l7QJofXbCNCqOZDsHXnouT2drUmIVUKSmy6DdI3LdpDf8cFunK0ZNH9CaIGnlQx6MxT7TwYtdTz0CIIthqTVwboqrVo/flPv69jn/2cAE88Eg52O9+R0IrpIYNGPez1KN7hCis9Y40+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b2AqAPNwwbtOzQsYICKb7GqRNUJ3F58z9HpQN6tX8IQ=; b=c7foYtr9VRvLChlkVok76gIvrBmBtw5naEVi69v/hoMTkatLbizfvMfm9lXglWJhUge9M+yztKDDfCYPqSHYlQTPDXpTG8rD5RM8EbP4d5dZtZuenYlUIop1u/UrgvJtaMwz5UH9ZogDCFkJbP4PYXn3fvmKzsrAPoy9xcXOFQiLw/JdeVriyMkNWVu3jpmjTdng6T3ov2nikDJBg9yxYw5lTGysn187UjzmNGBYFSWtgzemq/W2wfz2dYJiNyAXaHnLL8yy9r/FJbNDxbE6cMnFi+xH+uBodH3uwn97vra2+FQY/4Nty0leTlog2zKURqP+63NjemOFMJZvfeHtGg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from DM6PR11MB4380.namprd11.prod.outlook.com (2603:10b6:5:14e::20) by DM5PR11MB1468.namprd11.prod.outlook.com (2603:10b6:4:4::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Thu, 25 Mar 2021 17:12:02 +0000
Received: from DM6PR11MB4380.namprd11.prod.outlook.com ([fe80::a500:2ae3:a6c4:bc13]) by DM6PR11MB4380.namprd11.prod.outlook.com ([fe80::a500:2ae3:a6c4:bc13%4]) with mapi id 15.20.3977.025; Thu, 25 Mar 2021 17:12:01 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
CC: LAMPS <spasm@ietf.org>, Russ Housley <housley@vigilsec.com>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Rene Struik <rstruik.ext@gmail.com>
Thread-Topic: [lamps] [EXTERNAL] Re: LAMPS Re-charter
Thread-Index: AQHXIM5BR65FoAE6AESpD3VUTizLdKqTqnCAgAEgHgCAACUXIA==
Date: Thu, 25 Mar 2021 17:12:01 +0000
Message-ID: <DM6PR11MB43808ABD3C5FD4ABFB84A10C9F629@DM6PR11MB4380.namprd11.prod.outlook.com>
References: <5A22DF7B-BCA5-42F6-BB95-D4F70FDB1996@vigilsec.com> <951CAF0F-7461-4057-B95E-D1F6CAE61D02@vigilsec.com> <4c18a9982cc94df2952d7b2cbae89d99@cert.org> <7B82765F-9C7A-4C4D-B115-A2835B44E6D6@vigilsec.com> <b3fdb1ac051b4ae0ad748782daebead2@cert.org> <ACE141CD-B0B7-45D3-B54F-BE25275A0D25@vigilsec.com> <29f2b6c9-d7fe-0aa5-4509-d10279a2d902@gmail.com> <EC04667D-6426-4942-81E8-D0EEDCBFA359@vigilsec.com> <c709e623-80f1-3803-0dae-4785d0028828@gmail.com> <B70F19FF-2042-41F0-881A-FCFB13CFCC87@vigilsec.com> <DM6PR11MB4380EA3E63FDFC161E5DA8689F649@DM6PR11MB4380.namprd11.prod.outlook.com> <874kh150d1.fsf@fifthhorseman.net> <31577.1616604808@localhost> <87k0pw2pws.fsf@fifthhorseman.net> <6832.1616683780@localhost>
In-Reply-To: <6832.1616683780@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=entrust.com;
x-originating-ip: [206.214.228.99]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 80af9c40-63b4-475f-305d-08d8efb11b57
x-ms-traffictypediagnostic: DM5PR11MB1468:
x-microsoft-antispam-prvs: <DM5PR11MB1468436E03655DC51794BD789F629@DM5PR11MB1468.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aOndogC/jb9EM7uPvBvDILUW5rtYaEj3ZB7QX/Ea23KXY3XWrz9njTIhDuhdH4SNBw6d+SmEJUYkQr6G2iOqAs06efY8gW4eD1csdQKl9EVy7ONBegWhveqL+aYYHrNt0kSgZxwmDS+6JsnNKAr0F1OvR2ljBho0ZU+2R0ycvOGgezDq8nSd1CK1fzIrFyWqnY4Av1xdAztaTljPW4Eo8oKwLMVoZ2BHGa4jTkOnsxMuzrhvnLLlqTvS+liUc9e02ZDcHShvgWEtbHTzohQXVnJsvNVbOKTxlPOfHqEwmLEuVIwEGqDz1GZdEqvHiSQyKTqsxX+uTVJs3uFFq4KE3kLu+8JoBfKtYSODwZ/H6RhGWISEnG7+DhIIBaNOlAWXleade0y28sqlaP4G/2fmly4I7MO1V7C+SoXGeNx6jM0JyAiYuRIUxW3VgzukHDhiR/ubJgKhMPf+1S5Nl7ldpukEYiie95EP8Hnmm62YNhyT0BKAl58CdLH1Js62HJj4qhLV0UyS3JhAbKaJObyeFXU977MCJpyQ0w1nCeVpZMQSHd4QTu6iEBL9nHjAUbZqT1IzkWKXW+L6Qr387ssU3X1Glk/3DwJk/1d2VpXurTq9Ljssi8/M7hv1q/mGnhr6qGQ9kgHugBMIcOgoBfGovUsOEYUgX9JYXvtyz8D73kg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB4380.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(136003)(346002)(376002)(396003)(8676002)(316002)(54906003)(7696005)(8936002)(110136005)(4326008)(6506007)(186003)(53546011)(55016002)(26005)(71200400001)(83380400001)(86362001)(9686003)(2906002)(478600001)(66446008)(66946007)(66476007)(66574015)(33656002)(66556008)(38100700001)(76116006)(5660300002)(52536014)(64756008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: OAL06Cyrluq1ht0qsLMrgbFox4itoUWsMWupw5b/NkzIx2CYYnOcH7Q6CfPECHNE15K/mfrVMtpF70PeCyfcPT9IS9rWiFEWXo+IMyXD0/cxq1KkWswRFQDeaPfSPkmiIrkygRGQoYvfGvu/dbPNh8tsNizd25GRayEgHxpafjSbm64Na4Xm623DzNM5itLcmFxH75z20YtY6sCKeIG4OjcCrXDaQGiCTj6vgNxSVMqXgllI03ulNvoz8XqtYaUgERpXQwIDSjwxXjm5skKJJokBQv5teBzA3lBWmO7NQOuL3LifTU0/6CSvq+XWH52qZQOEOz6dN4C8UNSlbzOp3egUzlXgZ3I1d2i2uvsqNODpnHbeC5AtnCOamj3ciL3eh24vy+DvzsLZ+XLQldvJG3zeItKa/3qE+MErpg4eCB6wdKLVybWIi1CUopYg7w9Hfr5Okwdd8cOI58SvZl663OeRkd81X86FplSWDIqNWFyxAgtAEW9FimI3pcA+h4r0NWJbjJyjtIOM91iz61NK+fTP180Kv5xNvMMOhsCOdB0f7JV6HkTkkpw2gChmxcFYeT96Wfu3sit9E+B6IJH6Cv4yLVYAbXNnm7AtyqC2xsdeRqRkuOvwaCmhLLalbrSmc6d3Bk9nTF8jEgDJfX7yMw1E48AIMvM0Vfo/dNbFAEf6wq5IGW6+cF+rw91THNl7vo3kv4XZfodC9qae1SUr/6VV4Bs35NsMWSQ67vTSnhgR9mJezRkurLRgVyS0wnJ7vML5CXZZtYPChojpHW81C6vZDkCpslma7z6H3/nsezP6mBSnRWeXvoCNtNGHk5S58xYA11odb9LRQ78HgbpWQR1gJRo1bkwT/5N9TiEr7j8VceSRpzCZSVPIYbyOblreYBD3L/q6QmlAzrYbgRF2zjhSHl2d8FvunU16JG1BCG8EiyLXwmu2iSxfkr2Q00LTBCs0WUQtEl9NCFE3YbNQxMYlBbqKpxTXm0aPKvwObzmk15DkeTn7G0eBT2gpvTztOZH1mQmW+TgyPE++xfOf24XiNO63U0D/ex8XYRiZr8KfzmpNl7mgnmbgN+wEQo9RNMM62yDC1rIYxL5GPbSz6tUtryN1ySbEyeR9GEp9xjdSk5lrq+BHr6ZoLPV5v5czgNgMQfBsUAVTeE9hXdozYbP0yIMvedYaDPxA+6CQk2EaWCGtZqP5iO2aibEBiH5L3cU1E8hnvZ28u4vbTq1jZByqSEy32bZoa0P6uWRPve44i4JzVJjpBQzHed0l9Kl+XpbHQ/4axp95E6voGIUB+hJ5AFYiix9STh63xHwOkBveewzoC7rPHdlbyO9/Ibg7
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4380.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 80af9c40-63b4-475f-305d-08d8efb11b57
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2021 17:12:01.8854 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: icz0ZS8/zHoE0IdQvV+pyNgNpOt/Efz3rp0vxyvkslgCLAnQ1Fw0rAsWFCVenB1iurqeNANuXrlTfcDX3lfpWMU4ICiGR3VetMw2eDCpev0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1468
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-25_05:2021-03-25, 2021-03-25 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 adultscore=0 priorityscore=1501 lowpriorityscore=0 bulkscore=0 mlxlogscore=621 malwarescore=0 mlxscore=0 phishscore=0 impostorscore=0 spamscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103250124
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/TDB7gTxq5PTY8y5W9_rlaeejzdk>
Subject: Re: [lamps] [EXTERNAL] Re: LAMPS Re-charter
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2021 17:12:21 -0000

@dkg it sounds a bit like you're hinting at timestamping servers (or their modern equivalent: blockchains and merkle trees).

I wonder if CT logs have the "time-bounded" property you're looking for: any certs indexed into the CT Merkle tree before the "quantum apocalypse" can still be trusted (the cert itself - DN, SANs, etc - can still be trusted; the keys inside it may well be compromised). Though the things getting CT-logged (public web certs) are only valid for ~ 1 year, so they'd likely be expired by the time you care to look back.

---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: March 25, 2021 9:50 AM
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: LAMPS <spasm@ietf.org>; Russ Housley <housley@vigilsec.com>; Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; Rene Struik <rstruik.ext@gmail.com>
Subject: Re: [lamps] [EXTERNAL] Re: LAMPS Re-charter


Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
    >> Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
    >> > PQ-hybrid signatures are a much easier thing to tackle than PQ-hybrid
    >> > encryption.  But PQ-hybrid encryption is also the thing that has the
    >> > most urgency.  Signature verification has an out: verifiers can
    >> > time-bound their acceptance of legacy signatures once a quantum-based
    >> > cryptanalytic attack becomes known to be plausible.
    >>
    >> Do you mean that a verifier can say, "I'll accept your legacy signature as
    >> long as it's less than 2hr old"
    >> ("2hr" being the time I think it takes for a PQ to be mounted).

    > The time-bound i was thinking of was:

    > - If a quantum-based cryptanalytic attack becomes feasible on a given
    > algorithm at time T, then a verifier can still re-validate any
    > signatures that arrived (that is, that the verifier has had a copy
    > of, or that is visible in some robust historic ledger) prior to time
    > T.  That is, old, pre-existing signatures are not automatically
    > invalidated by a new quantum attack.  Note that this is *not* the
    > case for encrypted material -- old, pre-existing encryption
    > protection can indeed be invalidated by a new quantum attack.

Thank you for the clarification.
I wasn't proposing something different, just trying to understand.

You are right that a the PQ attack would likely be used to recover private keys, not just forge signatures.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email