IETF Logo Mail Archive

Re: [lamps] Proposed recharter text

Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 10 March 2021 00:02 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6031E3A1365 for <spasm@ietfa.amsl.com>; Tue, 9 Mar 2021 16:02:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JXaKEuguKOlc for <spasm@ietfa.amsl.com>; Tue, 9 Mar 2021 16:02:22 -0800 (PST)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B1F93A1366 for <spasm@ietf.org>; Tue, 9 Mar 2021 16:02:21 -0800 (PST)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 12A00BxB002123; Tue, 9 Mar 2021 18:02:07 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=GGZYHoVKzxO3zfNILcsIEHDmrzJBv77A0N3tWF6Weq4=; b=PJ/RRWCt0N/dpbNW6IARKlPMZ1GjsEIbik4q7qHWXigZ7IydyqsbohdeBPBZ/fOS5/br d5mBzbfAfwiGVE2OybpVlfBel9oJUH55CRTksmYdIZG/qBS81n3FYPJrg+wY5LET/bs2 bc4HKvtwzRGphaenSvQQjo3iVeuxq7QMv4KDrHR8722zp/oVIJ4LV66lWwrdQ2APyv4G rB7Gw3THj3txlRp+wirSYWrL0Nc8nkQfuildVrC6J9q28khGT3QrcMePKPqOKiQy3zfe z2WJbMN9MDw9hlBL7TVBq5MM9NbHPoWlIt39ZSU58E/GXU+DU5kq+l7EPSd/FDAQVv/4 bw==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2108.outbound.protection.outlook.com [104.47.58.108]) by mx08-0015a003.pphosted.com with ESMTP id 3747a8xw5g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 09 Mar 2021 18:02:07 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XqYzj0tN7ef0Wc6TUqWZPeAqOa5OKYoZ1mVqENHPICCOR6lyL3qWq9ty4K4ukjSz3OYRsU9euWKZJsG/P7RU22aWIwM8S3ojoz1QzOk3t+0ihc+/QpLfL2VcKlMsTAl+0QPwYGe0iwq2eLcbqgDvyj7paQbnW3XrfqjH/FNqgMNeGXrm0J/foB21YGwxjDGjPTPN8DiwuD5ujeiTf2UZnnDvG/dS5NnNkon8nfDKTm/bUtUkx7oyJ4ReXlTNRizjAFNITrHY4pJe8qj1N/W1itOuxiiqNI5RkxvxpJ9hparV9ODc4hELpYbmaEfJBcye2z2e+ORvDL/eRL3RBGZi5Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GGZYHoVKzxO3zfNILcsIEHDmrzJBv77A0N3tWF6Weq4=; b=cE4mqnh7/bcozSxyDdTYk8Mf66kD/5n+/X+6C7jpGOtmbl8pnZjw5WScdd2JcLxFX19M97yEdiu21ZonLij59naAqIUZYZm2GRPrjyoqH7PdnateYuHrZkpFvUTStuBv3L9hV5aHFs4Cxp3g9Pd+rgLdwVncf3snULXwbCAlFh6ZFqyWvhrE/8a1Vluxe2qfTQUIYrPeovoDXgePIDY4E+3k6pWSAu4J46X19zdgPL3fiEj0YZ+ecjv6dTcUMcCxiH1donoFp8NrIojAcAg6B8Uow1+5JATlYWoAweLn00HYVP9T7b+ItAPJ6kfJ39mCnTklp93DR294KYFO2HkEbw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from DM6PR11MB4380.namprd11.prod.outlook.com (2603:10b6:5:14e::20) by DM6PR11MB3083.namprd11.prod.outlook.com (2603:10b6:5:65::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.19; Wed, 10 Mar 2021 00:02:02 +0000
Received: from DM6PR11MB4380.namprd11.prod.outlook.com ([fe80::a500:2ae3:a6c4:bc13]) by DM6PR11MB4380.namprd11.prod.outlook.com ([fe80::a500:2ae3:a6c4:bc13%4]) with mapi id 15.20.3912.027; Wed, 10 Mar 2021 00:02:02 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Roman Danyliw <rdd@cert.org>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] Proposed recharter text
Thread-Index: AQHXFG+caDH9gEMNyEesQjTjQTQj56p6uTEQgAGE6YCAABgzMA==
Date: Wed, 10 Mar 2021 00:02:01 +0000
Message-ID: <DM6PR11MB43806CB904AD424D1B925E799F919@DM6PR11MB4380.namprd11.prod.outlook.com>
References: <DM6PR11MB43808FA7D74229A5997965649FBA9@DM6PR11MB4380.namprd11.prod.outlook.com> <9D01B155-6BB8-4438-8FAA-149686B69B64@vigilsec.com> <BN7PR11MB254762EDB050588E65B423B2C9869@BN7PR11MB2547.namprd11.prod.outlook.com> <038A4AA3-96A5-4827-BEEB-12B58F49102B@vigilsec.com> <b82901c00c6847fe9a8f420275d74ccc@cert.org> <DM6PR11MB43805BE3FEFD91A5BDD592EF9F939@DM6PR11MB4380.namprd11.prod.outlook.com> <f6b83156ae704d459125bf4157578e86@cert.org>
In-Reply-To: <f6b83156ae704d459125bf4157578e86@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=entrust.com;
x-originating-ip: [4.19.72.62]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f2cf3180-3002-4ebb-212e-08d8e357bb91
x-ms-traffictypediagnostic: DM6PR11MB3083:
x-microsoft-antispam-prvs: <DM6PR11MB3083FD06B116F6BA4E78DC779F919@DM6PR11MB3083.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LlcZBwqJbu3uL70UqBZ81eqHB1MilHdiAREq7t+UhgJ4qSwHlLyJu3JWfMtW62Fh2pnRsC3RsXB5BtYBH1WV/n26anxPIpTSr/kFI9AB85JJalFFeDToUSCdgbn6txPo/m41N1WMrLA0pP4Y+BYOP9Lj1fLIYPE8zJ1PShwE17lqG/2GsDtHVpwo6Wo6vkh+OcnVFhMhRZ3DaLQIPghaJOj35kAzmbKUyPYVz76USMH1IyzQ9v1ef3Zs0ZhvtwKQGgYfXiB7FByi/j8GMDyTDHkpt6gQZDDD63DziiVECBZO1O0Xlc1qNAAn+OVKwA8ynPY1khd82cxU+fwDCFNQxHSu5PDUuPfhxsamWXcja659EEnQ5+BBs7IOhqZBE6jjdBJKuiSw/pV02CNLxTarkOJCeiicNaqg493CT/zruhgEqruuKK99adpC3x7FVQ1LgX2tcYO3TbwiNHkMbrXpXCbb4Bxspj+4jt9NBJZ72xFVOclaxS1bJPN69U3lBFM6U+odUcAFc1PVxBowz2/BYKMPVtJAYzuRtMsSH4BZbv51GMoxvk5VT+xf9xJrAxMN8w3QM1D1Z9bIVEjAIE/E6VkY0D/ahKCzkidCIo788JM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB4380.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(136003)(346002)(39830400003)(396003)(8936002)(83380400001)(478600001)(6506007)(316002)(9686003)(66574015)(8676002)(55016002)(52536014)(66556008)(66946007)(76116006)(64756008)(186003)(5660300002)(86362001)(30864003)(53546011)(71200400001)(110136005)(2906002)(7696005)(966005)(66476007)(66446008)(33656002)(26005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 7/TdSDlR/va1xXvYKIQHgZN2HUHXQfXKQCzb2f3K8NFv/CSTqe5czEmCqUgl1jtxDQK/aFgydGV32MPOtDp2E2Lshm7/VfXfD9+ZTqejIAD8YHEb3nVFkv1xcZywgxsWL3CmKOvOgFhUZjld3gnOwmlrXmzJ8UAC+XwL+cZYpwQBgzUGQ84K2pewJMmVFoivrLJ0Kqn6qlKyE6UWm/C7pLjNP6PTogSZ8a9ltIs0OumJhDeYtqZojpNM1CPkMLNYuRb90haTbs4ZZJQ8iiW/vJ7t9Wx9A8lSL/jIGqy4nwHX4BVOEPccA+P2MX4SlqO/SYb/GMLDB2XLGFpgdhHrPnzWXPs68pJmamUIbso65a0lOH2xX+B+JS9P0u/Ozefe23kmTqDkGAUc9GSqETaPM+komL6E3Pq4s1LKci/7t7CfAK1b5gxO63d19Vs2nMNjC7mkfkQVf7BNzKaqvHE8oO+567t/npJiUl6LuMgkod99DWOJFNJy9qU3foh7f7EShwZC/2PgFycl82ersHeQOSxTxrk3DnkZeno7YeCqwuUiEroUhmSYPY+0VP7bWfxhWGI9wWGnRjNusT4Dxhbvb91SIsHHLJ/PnK3UZPd2obOAd+pm3uZbOB5sa4Dx5N31Zm+WZHokjWziYKPxSIuYi3DsyI69NwBlTVIUKfkfACObslt63QahvzCkDTYAcLbiqvqLMWZ5JOOWLblBkDvM8qHRla6/Sw0mpuhgzDyRIyBdpwK3PFpS2HSAQZw/iylM2PT1fjEtnDzWTNf5GAZL+sYlTlc8QoZY9vozMIwEW/ixV1SQibyWACl3zdkBZkL6uFTS6qMWtvbNqi7OWyVB/VFftop6uXQjgFE40caDD9bE6wNlNAYM90xM35ehhwH1W9/QbHaFHedytC6d44ZfWnPFMgsjV4c+qCAyX+vv7YQZFKDP+Ykl8rArUKcdhKYpw6LoI6D1gez3sIDYeB2wOb8cz8BeNsXaeXHjYGMV5R7YkXJLEULtRNNs9lZ3vLt4NLa00llVkPBqi0ZkfNCLWonfP5vkeSmlPcSWuEyOcjrdMFO4IXeSIl4R9tPaZX0P+wxLT6SnS9/k0djGzh+hk0zv0McZ+uQeqOQxFTSjGcn723I7QMfBBp5EZm7uEiVGGOZXLGduJAcbplgNuTIaP7/3vnjgnxFXja0XQahmJde+VdyWf/RAVIhrapJJLfKiNL9lRY1vzFbKZkHOR/WkrO1Pn7fYq/wJ1KhybMLZoi+Ijd1f3o1F9eFe463YRRNgXzGEt80/LmsicWGmydFmvL88NBCRTf5H83DJB5qtF50=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4380.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f2cf3180-3002-4ebb-212e-08d8e357bb91
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2021 00:02:02.0106 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: d9nmOxsMhvvA4FQTysQL0uuphtfc5ICSSdNl8kOjjyJ7su19j8MdobnDsW6i37jolnwJTfpVTux6GDLyDRAnU/RR+GmwTsBp5HuNUUeMntQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3083
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-09_20:2021-03-09, 2021-03-09 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 adultscore=0 impostorscore=0 phishscore=0 mlxlogscore=999 malwarescore=0 mlxscore=0 suspectscore=0 spamscore=0 clxscore=1015 bulkscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103090118
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/VZvFDWQ5f4fYlUOWtsW8aXxiyyc>
Subject: Re: [lamps] Proposed recharter text
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2021 00:02:25 -0000

Thanks Roman.

Sounds like your preference is to re-charter around specific drafts rather than the catch-all language that 5b currently is? Sounds like I should get all my drafts up as the next step, then come back to the re-chartering question armed with specific drafts? 

I guess this come back to a process question to Russ and Tim about how to figure out which problems and drafts to re-charter for in the short-term?

---
Mike Ounsworth

-----Original Message-----
From: Roman Danyliw <rdd@cert.org> 
Sent: March 9, 2021 4:28 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; LAMPS <spasm@ietf.org>
Subject: [EXTERNAL] RE: [lamps] Proposed recharter text

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
Hi Mike!

> -----Original Message-----
> From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
> Sent: Monday, March 8, 2021 6:54 PM
> To: Roman Danyliw <rdd@cert.org>; LAMPS <spasm@ietf.org>
> Subject: RE: [lamps] Proposed recharter text
> 
> Hi Roman,
> 
> I can fill you in on how (5b) got to be worded the way it is.
> 
> Speaking as the author of the (currently only?) dual / hybrid draft at 
> LAMPS and presenter at LAMPS interim, I think the nebulousness of (5b) 
> is because there was consensus that LAMPS should start working on 
> Dual/Hybrid mechanisms, but we're still figuring out the scope of that work.

Thanks for the back brief on the discussion.

I can appreciate the challenge of figuring out the scope of the work.  I'm looking for a middle ground in charter specificity to allow some of this exploration but not repurpose LAMPS to be the catch-all PQ migration WG.  Nothing prevents the IETF for pursuing such a thing, but that's not LAMPS.  In my review, the only potential scope we have given ourselves is the following sentence, "The specifications developed will enable PKIX and S/MIME protocols to support hybrid key establishment and dual signature mechanisms", which seems like a restatement of a very general objective.  To be fair, we've said equally vague things like this in the past in charter language, but (as I recollect) in those cases there was a specific draft which was guiding that charter bullet. 

> For example:
> Can we get by with defining a new algorithmID, and therefore avoid 
> doing something that feels like X.509v4? Are we going to need separate 
> mechanisms for public PKI (simple and restrictive) and private PKI 
> (complete flexibility to do complex staged migration of long-lived 
> devices)? Can CMS get by with existing multiple SignerInfo 
> functionality, or does it need something new? Do we need some sort of 
> CRL / OCSP mechanism to signal algorithm deprecation for devices that 
> can't receive firmware patches? (the term "Online Algorithm Status 
> Protocol" was jokingly floated) The latter is probably already outside the scope of 5, so would need another re-charter anyway.

If we honestly know so little about the solution space that the continuum runs from something as wide as identifier management to X.509v4 (I appreciate there some hyperbole in the scope) then I think we need keep talking to explore the scope before we update the charter on work items.  The current charter seems to guide us in situations like this:

==[ snip
The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working Group is chartered to make updates where there is a known constituency interested in real deployment and there is at least one sufficiently well specified approach to the update so that the working group can sensibly evaluate whether to adopt a proposal.
==[ snip

IMO, this is a weighty topic.  In partnership with NIST and CFRG, these PQ challenges are definitely things we as the IETF should be working on.  It may be the case that parts of what we want to get done can be captured in a this charter update; and might also learn that there is more too do that can't be fit easily into the maintenance-style character of LAMPS.  As I noted in my original inquiry, we likely need to find and document straightforward answers to the bounding questions I suggested (I'm open if there are others), so we can at least get started.

I won't speak to the management of agenda time by the chairs, but I see no reason why we can't (continue to?) talk about unadopted documents in this thematic vein until we're closer to understanding the solutions space.  I appreciate this comes with the potential for a "re-charter penalty."

> So (5b) is broadly worded on purpose because we want to get moving, 
> but are still feeling out the scope of work. How do you balance the "L" in "LAMPS"
> against narrowing the scope too soon and missing good solutions or 
> valuable use-cases for this unprecedented migration problem?
>
> On a personal note: I have a small pile of drafts that I hope to get 
> up after 110 on composite keys, signatures (two competing proposals; 
> maybe we need both?), and encryption (yes, I agree that 800-56Cr2 is 
> the way to go). It would be nice if these were in-scope so they can be discussed officially at LAMPS 111.

Great!  Having these proposals would help us scope the work per the existing LAMPS charter work.

Roman

 
> ---
> Mike Ounsworth
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Roman Danyliw
> Sent: March 8, 2021 5:06 PM
> To: LAMPS <spasm@ietf.org>
> Subject: [EXTERNAL] Re: [lamps] Proposed recharter text
> 
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know 
> the content is safe.
> 
> ___________________________________________________________________
> ___
> Hi!
> 
> I'm not necessarily responding directly this message but wanted to 
> comment on the proposed charter text.
> 
> On (1) - (4), no issues with proposed text.  I would just ask that we 
> have milestones, even if the dates are notional.  Perhaps this can be 
> covered at the meeting later this week.
> 
> Per (5a), we should definitely use the refined text below which times 
> the effort around the output of the NIST PQC effort.  No milestone 
> required for that.  No issues otherwise.
> 
> I would like to chat about the scope of (5b).  Sadly, I missed the 
> conversation at the last interim.  There seem to be two loosely 
> related thrusts -- one around "dual or composite signatures" and another on "hybrid key establishment".
> 
> Per "dual signatures", we chatted about this at IETF 106's SecDispatch 
> too and the result was to take it to LAMPS
> (https://urldefense.com/v3/__https://datatracker.ietf.org/doc/minutes-
> 106-
> secdispatch/__;!!FJ-Y8qCqXTj2!P1klq0lPS4leBZqYLrnZLsQxT1WWp5lakxXgsd-
> WgBKYoytfSawSF-VEU_Byp00Yc3FFTUYMZQ$ ).  No issues with this top level 
> intent.  What would be helpful to sharpen are the bounds a "specification  ...
> [that] will enable PKIX and S/MIME protocols to support ... a dual 
> signature mechanisms".  Are we restricting ourselves to just format (seems fine)?
> verification practices (seems fine)? recommended signature 
> combinations (is there a dependence on NIST activities?)? Something else?
> 
> Per "hybrid key establishment", this is a slightly different focus 
> which we previously haven't discussed outside of LAMPS.  What would 
> this specification work entail -- again, is it just format work or 
> also explicitly defining or recommending constructs which mix multiple 
> key types?  What would be relationship between this work and an 
> updated 800-56C promised out of the NIST PQC effort?
> 
> Regards,
> Roman
> 
> 
> > -----Original Message-----
> > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> > Sent: Wednesday, February 17, 2021 8:49 AM
> > To: Panos Kampanakis <pkampana@cisco.com>
> > Cc: LAMPS <spasm@ietf.org>
> > Subject: Re: [lamps] Proposed recharter text
> >
> > Panos:
> >
> > I agree that 5a ought to wait for the NIST completion to complete.
> > I'll add that to the text...
> >
> > a. After the NIST Post-Quantum Cryptography (PQC) effort produces 
> > one or more quantum-resistant public-key cryptographic algorithm 
> > standards, the LAMPS WG will specify the use of PQC public key 
> > algorithms with the PKIX certificates and the Cryptographic Message 
> > Syntax
> (CMS).
> >
> > Russ
> >
> > > On Feb 16, 2021, at 11:01 PM, Panos Kampanakis (pkampana)
> > <pkampana=40cisco.com@dmarc.ietf.org> wrote:
> > >
> > > I don't think 5a should be added in the LAMPS charter at this time.
> > > It is too early. And besides, draft-ietf-tls-semistatic-dh does 
> > > the same thing with classical (EC)DH keys in the leaf cert and it 
> > > is worked in the TLS WG.
> > >
> > >
> > > -----Original Message-----
> > > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> > > Sent: Wednesday, February 10, 2021 3:22 PM
> > > To: LAMPS <spasm@ietf.org>
> > > Subject: [lamps] Proposed recharter text
> > >
> > > I propose the attached recharter text.
> > >
> > > Tasks 1-3 are unchanged from the current charter,
> > >
> > > Task 4 is a slightly edited version of the text proposed by DKG 
> > > after IETF 109.
> > >
> > > Task 5 is the text that came out of the discussion that followed 
> > > the virtual interim at the end of last month.
> > >
> > > Task 6 was raised in the discussion that followed the virtual 
> > > interim at the end of last month.  In my view, it is too early to 
> > > work on advancement of RFC 8550 and RFC 8551, but putting it in 
> > > the charter now will allow us to tackle them when they are well deployed.
> > >
> > > Russ
> > >
> > > = = = = = = = =
> > >
> > > The PKIX and S/MIME Working Groups have been closed for some time.
> > > Some updates have been proposed to the X.509 certificate documents 
> > > produced by the PKIX Working Group and the electronic mail 
> > > security documents produced by the S/MIME Working Group.
> > >
> > > The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) 
> > > Working Group is chartered to make updates where there is a known 
> > > constituency interested in real deployment and there is at least 
> > > one sufficiently well specified approach to the update so that the 
> > > working group can sensibly evaluate whether to adopt a proposal.
> > >
> > > The LAMPS WG is now tackling these topics:
> > >
> > > 1. Specify the use of short-lived X.509 certificates for which no 
> > > revocation information is made available by the Certification Authority.
> > > Short-lived certificates have a lifespan that is shorter than the 
> > > time needed to detect, report, and distribute revocation 
> > > information.  As a result, revoking short-lived certificates is 
> > > unnecessary and
> pointless.
> > >
> > > 2. Update the specification for the cryptographic protection of 
> > > email headers -- both for signatures and encryption -- to improve 
> > > the implementation situation with respect to privacy, security, 
> > > usability and interoperability in cryptographically-protected electronic mail.
> > > Most current implementations of cryptographically-protected 
> > > electronic mail protect only the body of the message, which leaves 
> > > significant room for attacks against otherwise-protected messages.
> > >
> > > 3. The Certificate Management Protocol (CMP) is specified in RFC 
> > > 4210, and it offers a vast range of certificate management options.
> > > CMP is currently being used in many different industrial 
> > > environments, but it needs to be tailored to the specific needs of 
> > > such machine-to-machine scenarios and communication among PKI 
> > > management entities.  The LAMPS WG will develop a "lightweight"
> > > profile of CMP to more efficiently support of these environments 
> > > and better facilitate interoperable implementation, while 
> > > preserving cryptographic algorithm agility.  In addition, 
> > > necessary updates and clarifications to CMP will be specified in a separate document.
> > > This work will be coordinated with the
> > LWIG WG.
> > >
> > > 4. Provide concrete guidance for implementers of email user agents 
> > > to promote interoperability of end-to-end cryptographic protection 
> > > of email messages.  This may include guidance about the 
> > > generation, interpretation, and handling of protected messages; 
> > > management of the relevant certificates; documentation of how to 
> > > avoid common failure modes; strategies for deployment in a mixed 
> > > environment; as well as test vectors and examples that can be used 
> > > by implementers and interoperability testing.  The resulting 
> > > robust consensus among email user agent implementers is expected 
> > > to provide more usable and useful
> > cryptographic security for email users.
> > >
> > > 5. Recent progress in the development of quantum computers pose a 
> > > threat to widely deployed public key algorithms.  As a result, 
> > > there is a need to prepare for a day when cryptosystems such as 
> > > RSA, Diffie-Hellman, ECDSA, ECDH, and EdDSA cannot be depended 
> > > upon.  As a result, there are efforts to develop standards for 
> > > post-quantum cryptosystem (PQC) algorithms that that will be 
> > > secure if large-scale quantum
> > computers are ever developed.
> > >
> > > a. Specify the use of PQC public key algorithms with the PKIX 
> > > certificates and the Cryptographic Message Syntax (CMS).
> > >
> > > b. Develop specifications to facilitate a lengthy transition from 
> > > today's public key algorithms to PQC public key algorithms.  
> > > Unlike previous algorithm transitions, time will be needed before 
> > > there is full confidence in the PQC public key algorithms.  
> > > Therefore, transition mechanisms that combine traditional 
> > > algorithms with PQC algorithms will be needed for "hybrid key 
> > > establishment" and "dual signatures".  NIST defines "hybrid key 
> > > establishment" as any key establishment scheme that is a 
> > > combination of two or more components that are themselves 
> > > cryptographic key-establishment schemes.  NIST defines "dual 
> > > signatures" as any signature scheme that consists of two or more 
> > > signatures on a common message.  The specifications developed will 
> > > enable PKIX and S/MIME protocols to support hybrid key 
> > > establishment
> > and dual signature mechanisms.
> > >
> > > 6. Progress RFC 5280, RFC 6960, RFC 8550, and RFC 8551 to Internet 
> > > Standard status.
> > >
> > > In addition, the LAMPS WG may investigate other updates to 
> > > documents produced by the PKIX and S/MIME WG. The LAMPS WG may 
> > > produce clarifications where needed, but the LAMPS WG shall not 
> > > adopt anything beyond clarifications without rechartering.
> > >
> > > _______________________________________________
> > > Spasm mailing list
> > > Spasm@ietf.org
> > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/
> > > sp
> > > asm__;!!FJ-Y8qCqXTj2!P1klq0lPS4leBZqYLrnZLsQxT1WWp5lakxXgsd-
> WgBKYoyt
> > > fSawSF-VEU_Byp00Yc3FnDv8GXA$
> > > _______________________________________________
> > > Spasm mailing list
> > > Spasm@ietf.org
> > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/
> > > sp
> > > asm__;!!FJ-Y8qCqXTj2!P1klq0lPS4leBZqYLrnZLsQxT1WWp5lakxXgsd-
> WgBKYoyt
> > > fSawSF-VEU_Byp00Yc3FnDv8GXA$
> >
> > _______________________________________________
> > Spasm mailing list
> > Spasm@ietf.org
> > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/sp
> > as
> > m__;!!FJ-Y8qCqXTj2!P1klq0lPS4leBZqYLrnZLsQxT1WWp5lakxXgsd-
> WgBKYoytfSaw
> > SF-VEU_Byp00Yc3FnDv8GXA$
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!
> !FJ-Y8qCqXTj2!P1klq0lPS4leBZqYLrnZLsQxT1WWp5lakxXgsd-WgBKYoytfSawSF-
> VEU_Byp00Yc3FnDv8GXA$

v2.23.0 | Report a Bug | By Email