Re: [lamps] Dilithium OIDs per security level?

"Kampanakis, Panos" <kpanos@amazon.com> Mon, 21 November 2022 03:28 UTC

Return-Path: <prvs=317de04ab=kpanos@amazon.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6FA1C14CEE6 for <spasm@ietfa.amsl.com>; Sun, 20 Nov 2022 19:28:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zb8q-hzr_8Mv for <spasm@ietfa.amsl.com>; Sun, 20 Nov 2022 19:28:01 -0800 (PST)
Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C353C14F74C for <spasm@ietf.org>; Sun, 20 Nov 2022 19:28:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1669001281; x=1700537281; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=h7CbQJHwO1fWO/YdT+IVUDexS1ecsku08NBaVaZZ/X4=; b=jPrGEPzmKVg7X7zZpNEav+V8aBBYFANom7xwJwMi2znnRoI6wQ0+1hEU TutrtHYHBGQrZrym+QMXvPPEtytND9fPVpoVlnX7GtbnXWtdoTRezzvA2 5dfV+H/iRh+187h8rkMdLuhDyz+BKsKWRkN7p63LSlwaeSsb0iG4fC69j w=;
Thread-Topic: [lamps] Dilithium OIDs per security level?
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-iad-1e-m6i4x-3e1fab07.us-east-1.amazon.com) ([10.43.8.2]) by smtp-border-fw-6001.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Nov 2022 03:27:40 +0000
Received: from EX13MTAUWB002.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1e-m6i4x-3e1fab07.us-east-1.amazon.com (Postfix) with ESMTPS id 3B612813AF; Mon, 21 Nov 2022 03:27:38 +0000 (UTC)
Received: from EX19D001ANA002.ant.amazon.com (10.37.240.136) by EX13MTAUWB002.ant.amazon.com (10.43.161.202) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Mon, 21 Nov 2022 03:27:36 +0000
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX19D001ANA002.ant.amazon.com (10.37.240.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.20; Mon, 21 Nov 2022 03:27:36 +0000
Received: from EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055]) by EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055%5]) with mapi id 15.02.1118.020; Mon, 21 Nov 2022 03:27:36 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, 'LAMPS' <spasm@ietf.org>
Thread-Index: Adj8bUvDs6Umf/tFR6+ft+xLBlLXiQA65f7w
Date: Mon, 21 Nov 2022 03:27:35 +0000
Message-ID: <57e5844ba58442f6ae1a9fb95ac4b111@amazon.com>
References: <CH0PR11MB5739EE2A5A75D8BCE1EC2F209F089@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739EE2A5A75D8BCE1EC2F209F089@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.37.240.200]
Content-Type: multipart/alternative; boundary="_000_57e5844ba58442f6ae1a9fb95ac4b111amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/UJm5zRs5m5u9PngXWXSXM8TuzeE>
Subject: Re: [lamps] Dilithium OIDs per security level?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2022 03:28:03 -0000

Hi Mike,

Yes, the OIDs will be hardcoded per level. They will not be parametrized as this has caused problems in the past.

Note that NIST will assign these OIDs, they will not be allocated by IANA.


From: Spasm <spasm-bounces@ietf.org> On Behalf Of Mike Ounsworth
Sent: Saturday, November 19, 2022 6:27 PM
To: 'LAMPS' <spasm@ietf.org>
Subject: [EXTERNAL] [lamps] Dilithium OIDs per security level?


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Hi Jake, Panos, Sean, Bas,

I could use some clarification on which OIDs you're planning to register cause I'm trying to cross-reference them when defining all the composite pairs.

The current version of draft-ietf-lamps-dilithium-certificates-00 has

id-dilithiumTBD which you seem to be using for the signature algorithm.




   id-dilithiumTBD OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)

            country(16) us(840) organization(1) gov(101) csor(3)

            nistAlgorithm(4) sigAlgs(3) TBD }


And also pk-dilithiumTBD which you seem to be using for the public key.

  PublicKeys PUBLIC-KEY ::= {
    -- This expands PublicKeys from RFC 5912
    pk-dilithiumTBD |
    pk-TBD-TBD,
    ...
  }


Next question: are you going to register those per level; ie id-dilithium2, id-dilithium3, id-dilithium5?

---
Mike Ounsworth
Software Security Architect, Entrust

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.