Re: [lamps] Hybrid pkix isn't needed

Michael Markowitz <markowitz@infoseccorp.com> Mon, 30 January 2023 00:59 UTC

Return-Path: <markowitz@infoseccorp.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5FF3C14F744 for <spasm@ietfa.amsl.com>; Sun, 29 Jan 2023 16:59:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=infoseccorp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q7YjnLBRdmc8 for <spasm@ietfa.amsl.com>; Sun, 29 Jan 2023 16:59:13 -0800 (PST)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on20730.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e89::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF5A5C14F72F for <spasm@ietf.org>; Sun, 29 Jan 2023 16:59:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nEpQNuoXvq4PEBHnKptXVXTBeiEFHNN1+kSKW64c8aYW/7FIwTYlo9qppS3MhM7vdIZde5R3fsf+ij4qlZ8Nq3/pZUp92+Z4bb3/dCHUDU8XqjjmSzbmDj/QpzM4F95UqO3w5T2gG0W/ZAGfSjfQ0aildSVzFAAJUEJlp6SoFBe87W8vHl7bhD81lPjEitAzEDUlYrBZgvhJHdxc7x94th9TbZOYiHolatXXiiKln23gddkLx1atRhcwCvkuZ25BTRK1JPOCQa4FZPerNTZlgV9zLNqxTwobvGBjwsh3EZgLxiDfhFTg0EO/wha5TLo4IlSJL9ziFmt4yC6pcPF4Rw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OBTrLAdZ9Q+6HWrCjIiSWNblGBSPB6djMOijIJ7X2uA=; b=Ciukd37KZE3/iVBbByJiKV8YX+jUjQSbEF+Bhx1J8pjQyxlgzS8rR9uX+Fm/1OCHddmpagAH/OBcTnKQgu/kFl5wqgfZFK1cA7WhMH3W7cQ1jTO3M68szWk6c0cQNCjnlXbbvkOqoMW72NhuVqd1FSznoIC4bDQJG/EMOfRwL2iHjUgXnQLixFm8arb62CwTJNh2xymvK+1EeuADENP2N8ENHUdhSDvSIsKDT0SVSlsnCoPHd3h731A2QOPr4evcb/UZeYmnOY3h6AG2bH9mdKuX0k5Dde3gJJSh/miv+9yXyQ9zEFdMRxqyvnXi/r8JllGsobOq8SyVEs3pcRRAQg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=infoseccorp.com; dmarc=pass action=none header.from=infoseccorp.com; dkim=pass header.d=infoseccorp.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infoseccorp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OBTrLAdZ9Q+6HWrCjIiSWNblGBSPB6djMOijIJ7X2uA=; b=q/tJ15HNO8jdJWMub57mXoeFNhNV/5qr11tL6CTZORMwKHmAwqg0NzUAbACUYcSJOvC/pUf9qg2x/TJv0SP0D5bTirMbQOdsBRUytTOdjEZOBT6axbcFvErIg000lyrEx9nkjcNAjcVJgvFm0BVe94c6F+jUPU1DHuzkOQPI+BE=
Received: from DS7PR12MB5983.namprd12.prod.outlook.com (2603:10b6:8:7e::18) by IA1PR12MB6578.namprd12.prod.outlook.com (2603:10b6:208:3a2::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22; Mon, 30 Jan 2023 00:59:03 +0000
Received: from DS7PR12MB5983.namprd12.prod.outlook.com ([fe80::a898:a604:e936:bfe3]) by DS7PR12MB5983.namprd12.prod.outlook.com ([fe80::a898:a604:e936:bfe3%4]) with mapi id 15.20.6043.031; Mon, 30 Jan 2023 00:59:03 +0000
From: Michael Markowitz <markowitz@infoseccorp.com>
To: Watson Ladd <watsonbladd@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Hybrid pkix isn't needed
Thread-Index: AQHZNDuAnFqDvDDvMEe3CdG65ZSOAK62FJ4g
Date: Mon, 30 Jan 2023 00:59:03 +0000
Message-ID: <DS7PR12MB5983E36300151BFC47E5CB34AAD39@DS7PR12MB5983.namprd12.prod.outlook.com>
References: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com>
In-Reply-To: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=infoseccorp.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DS7PR12MB5983:EE_|IA1PR12MB6578:EE_
x-ms-office365-filtering-correlation-id: 204eba73-3c47-4bcd-4367-08db025d2e41
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: e+GcHrkgWBCdwAvgKsJIELimntUw7Z9g0idKTQ2USy/fR6VlonsipGbr6+D7DZ1fU4hVPtPDybEejJ5qfvtMEzVmZVJXUZwl5V9VVYF/WilJ3bSpyNhHFaUcE3629MXgWLW/Z4LtOFrxCA1rl+4tE5RACK752V+BZ1Nb5KkBkxhtONUk95fzuv+utmZw53zCj1QuKmeaC0SMp27TNMGyi7a1GzbkObab7cdHXGcCiucwgMq8/zFxVjfiplL1cA90BvK6W1XBAkz1sz7pyOOIYqcpCtYBR3jGXbyVLx9wOOF1MV9nPc90AIbNmUSIPpq1QVbb6lWvXFPQPChHuEbo2HVfm7qD1PZr5usTjcIbqr02p/s6IuMmneUk9x+jniwm9N8STOda1af67BV8PUBmSnXGiJUnJC9QuDDHJ19EzoB+KU7WsPNJHhdTmgE/ZfrmYpvBQlciT6IM1377jCq6lvMWLCyaJUvVhCAJxUCjLZtyyAHNxd3p/KQoyNibS1lQZjOZt3N91RdYKw9HNxRtzbUGWQfe7MveUQJPIhji7SK+AFJdLFZeb86OmmSroucanVqzkJjqocnfPyzYYUN8wwT/eHwCX5fiANRtehKYLcPboSgpm2FCCKzP4AuvUeDUBz0uQIFYMFM2S4Vd9epI2yFp+JNIxsqSlDDGFbyLa6pD/eKvi3Z8SSYjCUgNXrdFNw9Wg50ziuOae8lku9avEw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DS7PR12MB5983.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(136003)(366004)(376002)(39830400003)(396003)(346002)(451199018)(52536014)(86362001)(83380400001)(38070700005)(55016003)(122000001)(33656002)(186003)(9686003)(38100700002)(64756008)(8676002)(316002)(26005)(8936002)(110136005)(66476007)(478600001)(66556008)(6506007)(53546011)(41300700001)(71200400001)(66446008)(66946007)(66899018)(7696005)(5660300002)(76116006)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: L39XLmk/63GYtEOcJldDgyg2t6g797IpAUdFz0hMsMRYTkO69GMIpHAvKDnL6Smciz35/4C2Q51n39Kdf7/rt+Zy1OIPj3ViFUIVCgi8JfhW17+rc01gCbZZbPDCuD7vhb2WeVAkYYW9W3ltJWAYCGdCT1CifQ5jEgIbs9Qar5A5OtHBmYTSdd8JeXWFL0Qh6snCNCylIo5pqC9mWgEmBtM7HhoAOmFsBo+HIqomRXM8btpcD3EIFnm7YXM7mMxpFXr0Sj1aK/0qMJ5V0EDCBqUM1cPUfb2Dvip8ikFg8hj+cJ/9OFYaAHkXSsaoYRSMSLXm9hxWa6YfepPuikoZ/qsMCyZBcAL96EF8kFev2AAGWpBzwFkxqXcRAUiRIxE194yCRAUUnhDeDgnMlgM4pxRUGxMuZZTXe3DRZOomR6whhZinJ7oVi16D1hn2s3w0biz32J0DOR4a+hDTrCWFsRV8iV4ZyMfXT7UNmTVdy5ZONw0bEke9m6M9UDWyP/VhFsNsfvL0JSkINpDg9iYjXzqNzIbvjkjsZnZbnOvJdrsO/tkR+812aHWBF4ZdzJsxQlE0Mpl9DInBWyAgbnEbgxyeR28c19irVJG1IjfN5SrtURr4geaTZeBuFyP4w88BCjYP/TaCDzAM28G5ytS3fK8P7cytgU9oZDHx2DADk6f0cDxp6dcoL5TJzfDR39x2CG6H+23OmpJwWjpJHmW8JB2WiYEPQkPLRiDS3ZpGB4VCfU0fh4ZsJJ45Mo4/+jNN7HRkBDnyremckB7qtuY0IW3e9Tvx2WNCaumXhQe1cPur1V+X4PjOBy6ipZVyCNZxdENRHk4aiChJj8RSHWR/SOHhFci6MekYnPb4xdMR7Eyz3sSLr4MX2M+FuZHqkRAQc23VDa2sSEtWb7cn9FXtAL8eNVJVYm5EcJnA3PGrC/zNvADLosiW59zWMUgYyNHIQJqXpoIXExxm/+KNdixRwNTH/qubksfc1UtGSF8PL+ebv15xfdRYFLQHYDX+HVMlmCTMNinxAjBI6CreijZQFGIvbJ4VR29vule4NB3M8RBTZ0L06ynqPeg0hk+aMqUQr3wDzde+jB3uJp+laFYSyItF0X2kxZ/iMQcfhC3MWr9IO8d1gtqLcXjDsf8TnL4dybSj8OKRJPNlIUWCda+zEo66rNasssTuRwgFbhtnb5XW3/gI370M3INU0FjqprHKadHk2fjMn2tBGtXQzRLzBl5LZO72vrjz8ERh0HWwYYFN+RY4nuIxftAi96Nmyz4M9my/ZEvbSfGXHra3LmSqar8pG6YFiGShtrO6fmnJySYgz8GTI9oHhMT8bQnH1ZXX9ZW/oDRXOC3o/U+Z8OZe/4KRpRYF+Q3wFHp65gZnHr3wMPJWtnLq3n08rUeainfVyY0RR5kaxjeXRH3tG5Aw51LmHmtPKD4NMhgcLFWskCQ8cnaT8fVb+eAdyE/ofvrv2Lf220r8FMLgB5gcKJ9WB5AK78ZHkou6flZ0M0PVISDeZVBfmgZPVj+Bv1Fm4pKY1q+JSzPzEiK5GyspFZrw5Z/GTRskoaMMJ/ktlMNemWFCLTr7YTUpIKQLN77ZDo/h
Content-Type: multipart/alternative; boundary="_000_DS7PR12MB5983E36300151BFC47E5CB34AAD39DS7PR12MB5983namp_"
MIME-Version: 1.0
X-OriginatorOrg: infoseccorp.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DS7PR12MB5983.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 204eba73-3c47-4bcd-4367-08db025d2e41
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jan 2023 00:59:03.3675 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f8afa6ae-fcf9-41af-84e8-cca28837a74a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kc/0uyiTpfIKdw5c89EMaHUm7Rkc2O2ucF0SLvK0axrPWNtPTV0ENZTwasZ3QPbVVfM+VVqm5R7MJ1tAgtAbEa2cRgO/pBpWI1k+AnPx5Z8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB6578
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/WcHED_zlrs6j28mh-glzzNGd6qk>
Subject: Re: [lamps] Hybrid pkix isn't needed
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2023 00:59:17 -0000

Consider the following scenario:



During enrollment a user obtains a signing cert A. They use A to reauthenticate to their CA and obtain an RSA cert (R1), and then a Kyber cert (K1). Sometime later the same user leverages A to obtain another RSA cert (R2) and another Kyber cert (K2), say with different attributes, from the same CA. Maybe many more RSA and Kyber certs are issued to that user.



Now imagine that -- according to a security policy specified by the CA -- the pair [R1,K1] must be used for certain purposes  in some protocol P involving a hybrid KDF, while R2, K2, etc. are only to be used for other purposes (maybe separately).



What's the easiest way to ensure that a relying application when presented with R1, finds K1 rather than K2 as the other input into P? Sure this could be done in proprietary ways, but an innocuous (non-critical) extension linking the paired keys has a certain elegance. Also note that the user, to participate in P's hybrid KDF, doesn't need to do anything different from what they're already doing classically: they simply present the appropriate RSA cert, R1. It's only the relying (server?) app that must be modified to find K1 and carry out P. Kinda' useful in an enterprise environment in which end-entity certs are easy to update, but existing PKI clients are hard (i.e., expensive) to update -- or to even find!



To your points: a non-critical extension is "optional" -- no one will be forced to do anything with it. And I have trouble imagining another "transition model" that helps a relying server app find K1 rather than K2 without: new info provided by the client, a proprietary repository hack that links paired certs, or worse yet (heaven forbid!), abominable hybrid certs.



-mjm





-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Watson Ladd
Sent: Sunday, January 29, 2023 3:43 PM
To: spasm@ietf.org
Subject: [lamps] Hybrid pkix isn't needed



Dear all,



I don't think linking certs or special provisions for hybrid encryption or authentication are a good idea.  A hybrid encryption scheme should be an encryption scheme with a public and private key, just like any other key you can put in the PKIX.



If for backwards compatibility you want to have multiple kinds of keys just like we do with RSA and ECDSA keys in TLS, just do that! Don't add complexities to try to link them or force people to find both keys at once for an operation. We know that the transition model with multiple unrelated certs works, and we have experience and fixed bugs that resulted. Let's use that instead of have new bugs to fix.



The other thing is hybrid auth is worthless. Authentication breaks are not retroactive: a break of an algorithm at a time in the future doesn't threaten the security properties of authentication in the past. That's different from encryption, where you do potentially want to ensure a new post-quantum algorithm is no worse than a classical one, but the case for it is fairly weak.



Sincerely,

Watson Ladd