IETF Logo Mail Archive

Re: [lamps] SKID extensions Re: PQ-hybrid or PQ-Composite?

Carl Wallace <carl@redhoundsoftware.com> Thu, 27 October 2022 14:51 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60132C1522C6 for <spasm@ietfa.amsl.com>; Thu, 27 Oct 2022 07:51:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RdntUPZHDWFf for <spasm@ietfa.amsl.com>; Thu, 27 Oct 2022 07:51:10 -0700 (PDT)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E803AC14F741 for <spasm@ietf.org>; Thu, 27 Oct 2022 07:51:10 -0700 (PDT)
Received: by mail-qk1-x734.google.com with SMTP id d13so1073356qko.5 for <spasm@ietf.org>; Thu, 27 Oct 2022 07:51:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent:from:to:cc :subject:date:message-id:reply-to; bh=7UKxMtOJuJn9jalNFeOJ8eeJPd50QBFwwfEshNznsXE=; b=wvKkXnh9fbd2IHx4Ns6yH2qEy0VcSdjds6kLr9yl7MAaSVPdEQFvAkpR+xwLADd4Py nq4FtkPawZWwqJYI5ess9IYBHXRxyo7HYD8xLsDOgc1gS/nEn2U35vJX2hGu2u91Wr2F evn85GWVj0wzuNa1GuG29tiMtAQtPMQnC+0Vs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7UKxMtOJuJn9jalNFeOJ8eeJPd50QBFwwfEshNznsXE=; b=op5lGd4bjmnbeRbGsdcDFISYpRRwM2GLE/vwbZfGNmgOLvTru972B+R1TtZvWgKAEG enWK6v6QdV4lysQlabuSWUABEOv/lOw+qd/k3vGAgqghNf5ltEMsQRjar8Ha2Vx73wju Np1st9EbPYOqCA5TVmzLjYc4X6q474ODMWYjBxG5wAw7bQNPwJWzttL/5iRV1uIIRajc ZAChuge0ZuLrYw7Ix6iIhTQudBrSZY4jgVAeTYmDmTAYQ6O5wU2jBfyNnz3fe4h96Lhx 9XwzVrtmclCgtu/sai0ddkSmDt1LJNR/PKW8s8GWLo5yKjyaE+XMawYpOCkht3R6rFJX HRUA==
X-Gm-Message-State: ACrzQf190I2SUl4QktYg/X4p+VEXO0pzPJcLsF1cNcHUrCKiL4xeW6cd eCeAjTQz30hEGojvWEAeFEjYaw==
X-Google-Smtp-Source: AMsMyM42DPJ39PNu6+Trb7UfxFrxEHXSB4ciuj9VA8MU1DKYAHo4BhJfo+CdgW3ZXaPeFpGi03iPgQ==
X-Received: by 2002:a05:620a:4388:b0:6ee:8796:e390 with SMTP id a8-20020a05620a438800b006ee8796e390mr34531501qkp.289.1666882269513; Thu, 27 Oct 2022 07:51:09 -0700 (PDT)
Received: from [192.168.4.77] (pool-74-96-253-253.washdc.fios.verizon.net. [74.96.253.253]) by smtp.gmail.com with ESMTPSA id 18-20020ac84e92000000b0039cc7ebf46bsm931736qtp.93.2022.10.27.07.51.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Oct 2022 07:51:08 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.66.22101101
Date: Thu, 27 Oct 2022 10:51:08 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>, "Kampanakis, Panos" <kpanos@amazon.com>, 'LAMPS' <spasm@ietf.org>, Philip Lafrance <Philip.Lafrance@isara.com>
Message-ID: <8051B8EB-DDA8-4E26-8245-CECAE2EF730A@redhoundsoftware.com>
Thread-Topic: SKID extensions Re: [lamps] PQ-hybrid or PQ-Composite?
References: <108E5963-E837-47B4-A18F-ABF6E530C263@redhoundsoftware.com> <CH0PR11MB5739523DE93429F7D5D4A4309F339@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739523DE93429F7D5D4A4309F339@CH0PR11MB5739.namprd11.prod.outlook.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/TqHZNqgxiKoZRs2j992CSK54noE>
Subject: Re: [lamps] SKID extensions Re: PQ-hybrid or PQ-Composite?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2022 14:51:15 -0000

Is the intent for composite to verify with only both keys or either key? If either (which is what I was assuming in at least some cases), the composite SKID won't help.

On 10/27/22, 10:36 AM, "Mike Ounsworth" <Mike.Ounsworth@entrust.com> wrote:

    + @Philip Lafrance

    Good point Carl.

    For Composite you still have a single SubjectPublicKeyInfo in the usual place (just that its subjectPublicKey BIT STRING happens to contain a SEQUENCE of other keys). So the SKID method suggested in 5280 (or any other SKID method) should apply cleanly and unambiguously:

    > the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey

    So I don't think it needs to be explicitly mentioned in the composite draft?



    For Catalyst Hybrid certs (draft-truskovsky-lamps-pq-hybrid-x509) I agree this is tricky; you have two independent pubkeys: the usual one, plus one in a SubjectAltPublicKeyInfoExt extension. Do you also need an AltSubjectKeyIdentifierExt? Further complicated if you're allowed more than one SubjectAltPublicKeyInfoExt. Maybe we should hold this technical feedback until such time as there is an active I-D for Hybrid Certs?

    ---
    Mike Ounsworth

    -----Original Message-----
    From: Carl Wallace <carl@redhoundsoftware.com> 
    Sent: October 27, 2022 8:02 AM
    To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Kampanakis, Panos <kpanos@amazon.com>; 'LAMPS' <spasm@ietf.org>
    Subject: [EXTERNAL] SKID extensions Re: [lamps] PQ-hybrid or PQ-Composite?

    WARNING: This email originated outside of Entrust.
    DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

    ______________________________________________________________________
    Has there been any discussion of how SKID extensions would work with either hybrid or composite? I saw no mention in the expired hybrid draft cited below nor the current composite key and signature drafts. Seems like a new structure would be required, which would impact path building and backwards compatibility.  

    On 10/26/22, 3:00 PM, "Spasm on behalf of Mike Ounsworth" <spasm-bounces@ietf.org on behalf of Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:

        Ah, you beat me to it!

        Yes, ISARA has announced intent to dedicate the Hybrid Cert ("Catalyst") IP to the public domain.

        The way I see it is this (off the top of my head, not a carefully researched answer):

        Pros of Catalyst Hybrid:

        * Extends X.509 in "the obvious way" via an extension.
        * Fully backwards compatible because legacy clients will simply ignore the unrecognized non-critical extension.
        * Avoids combinatorial explosion of pairwise OIDs.
        * "Complexity" of checking both signatures lives at the X.509 layer.


        Cons of Catalyst Hybrid (and Pros of composite):

        * Hybrid Catalyst does not provide any encoding for transmitting multiple signatures, so you still need to either modify all the protocols to carry two signatures, or use a composite signature value.
        * You carry the (very large) PQ key and sig over the network whether or not the client uses it (ie very hard to negotiate algs when a hybrid cert is in use).
        * It is very difficult to audit what crypto was actually used at runtime since the server has no way to know whether the client actually checked the PQ part.
        * Compare that with composite where you either negotiate a traditional OID or a composite OID and it's very clear what's being used.
        * Catalyst Hybrid is not resistant to stripping / downgrade attack (ie Catalyst Hybrid certs only really make sense in an OR mode; though I suppose you could make them an AND mode by marking the extension CRITICAL).
        * "Complexity" of checking both signatures lives at the crypto alg layer.



        So as much as I'd like it to be as straight-forward of "We have Hybrid again, so let's drop Composite", I don't think it's that simple. I think there are strong advantages to each. I think I speak for Entrust that see value in supporting both Catalyst Hybrid and Composite certificates (as well as pure PQ / multi-cert), and would keep all three in our toolbox to recommend to customers depending on the details of their migration needs.

        But I agree that they are very similar and this is a good discussion to have.

        ---
        Mike Ounsworth

        -----Original Message-----
        From: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org>
        Sent: October 26, 2022 1:24 PM
        To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; 'LAMPS' <spasm@ietf.org>
        Subject: [EXTERNAL] PQ-hybrid or PQ-Composite?

        WARNING: This email originated outside of Entrust.
        DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

        ______________________________________________________________________
        Hi Mike, composite drafts authors, and WG,

        Sorry for the monkey wrench. I am sure you are aware of this https://urldefense.com/v3/__https://www.isara.com/company/newsroom/isara-dedicates-four-hybrid-certificate-patents-to-the-public.html__;!!FJ-Y8qCqXTj2!aztm9JK1STn0XcErfeMf5yXQFR_5MMDuqP3WVKhZK9uu1C041s2dbh6qgNpa4nZj588VU3vhLFDl6BrRRvVIpDYvnCIBq3gm_SO6$  . ISARA seems to have opened up the patents they had on hybrid certs. Hybrid certs do the same thing as composites, but they add the additional algorithm in an optional extension, not concatenated. One advantage of hybrids is that we don't need a bunch PQ-composite OIDs. One disadvantage could be that the PQ-verifier needs to be careful to verify and not ignore the extension.

        If the IPR is indeed open for use now, should the WG be discussing which is the better option?

        Rgs,
        Panos

        Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
        _______________________________________________
        Spasm mailing list
        Spasm@ietf.org
        https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!Y7s7PLJaE5ModAs1T3eP5fpBuLZXuxA3FYcRJA734sJw0C5uxcpnGGvxfRC_xnzzz0CjVh6Aef22xqmakJb-QBt4$

v2.23.0 | Report a Bug | By Email