Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01

"Kampanakis, Panos" <kpanos@amazon.com> Thu, 22 September 2022 19:53 UTC

Return-Path: <prvs=257f3d826=kpanos@amazon.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C730DC14F746 for <spasm@ietfa.amsl.com>; Thu, 22 Sep 2022 12:53:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.476
X-Spam-Level:
X-Spam-Status: No, score=-12.476 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cIfTtFkv0g3B for <spasm@ietfa.amsl.com>; Thu, 22 Sep 2022 12:53:58 -0700 (PDT)
Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B75EAC14F73D for <spasm@ietf.org>; Thu, 22 Sep 2022 12:53:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1663876439; x=1695412439; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=NqiVkusjL8PnxSdWVV5BiN839gvwP4h6fG2ivWV4Kcs=; b=SrUsTASwtUB3t4bv8/VVFO0CDNhfLqjZ9gLhG3oSNhKmxsjkx75sB8T1 GNF+JUD2iecWdIRM5+1ldH0+T5SjvaWoVHnwhJaW7uMS84A5s2hq7BiPL U8UeUoDJLexG7p2/k6oz04GZWGPrE+J15nlH9P3tJMWs3p8IeSFay0TWm 4=;
X-IronPort-AV: E=Sophos;i="5.93,337,1654560000"; d="scan'208";a="244258622"
Thread-Topic: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-iad-1a-4ba5c7da.us-east-1.amazon.com) ([10.43.8.6]) by smtp-border-fw-2101.iad2.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Sep 2022 19:53:44 +0000
Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan2.iad.amazon.com [10.40.163.34]) by email-inbound-relay-iad-1a-4ba5c7da.us-east-1.amazon.com (Postfix) with ESMTPS id B91BD81365; Thu, 22 Sep 2022 19:53:43 +0000 (UTC)
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS) id 15.0.1497.38; Thu, 22 Sep 2022 19:53:42 +0000
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX19D001ANA001.ant.amazon.com (10.37.240.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.12; Thu, 22 Sep 2022 19:53:41 +0000
Received: from EX19D001ANA001.ant.amazon.com ([fe80::6054:a5f0:5f79:c120]) by EX19D001ANA001.ant.amazon.com ([fe80::6054:a5f0:5f79:c120%5]) with mapi id 15.02.1118.012; Thu, 22 Sep 2022 19:53:41 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Thread-Index: AQHYyRri2Hwt6Ozai0ah2pNtarU48q3r5SZw
Date: Thu, 22 Sep 2022 19:53:41 +0000
Message-ID: <2b711f2ede13466490ce79f822244f5a@amazon.com>
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com>
In-Reply-To: <35BEB1D9-7EA5-4CD4-BADA-88CCB0E9E8F9@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.88.31.176]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/VfLZzGOHNiVokuQHMTItA2DZU2g>
Subject: Re: [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2022 19:53:59 -0000

After giving it more thought and chatting with peers, I am against adopting this draft. 

It has huge implications to CAs because they would completely need to change their paradigm and check existing certs before issuing a new one bound to the existing one. That has great impact to the PKI ecosystem and how certs are issued, how keys are bound together, what happens if one gets revoked etc. Some of these issues may be solvable, but admittedly this is a lot of complexity we have not dealt with before. 

Additionally, it has great implications to existing protocols using X.509 for authentication. They would require major changes to introduce double signatures, send over two chains, confirm the signatures are from bound public keys etc. 

I understand that the authors' goal was to prevent two PKI migrations, one to PQ-hybrid and one to pure PQ but in my opinion the complexity is not worth it. Folks that are worried about authentication and want PQ support now could use composite in the near-term. Folks that either trust Dilithium, Falcon, or SPHINCS+ already or can wait a few years until they trust them, can just go to pure PQ signatures. These seem better options than going for a brand new complicated paradigm with bound certificates. 

Rgs,
Panos



-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Thursday, September 15, 2022 11:45 AM
To: LAMPS <spasm@ietf.org>
Subject: [EXTERNAL] [lamps] Call for adoption of draft-becker-guthrie-cert-binding-for-multi-auth-01

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



There has been some discussion of https://datatracker.ietf.org/doc/draft-becker-guthrie-cert-binding-for-multi-auth/.  During the discussion at IETF 114, we agree to have a call for adoption of this document.

Should the LAMPS WG adopt “Related Certificates for Use in Multiple Authentications within a Protocol” indraft-becker-guthrie-cert-binding-for-multi-auth-01?

Please reply to this message by Friday, 30 September 2022 to voice your support or opposition to adoption.

On behalf of the LAMPS WG Chairs,
Russ

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm