Re: [lamps] Proposed addition of hash-based signature algorithms for certificates to the LAMPS charter
Ryan Sleevi <ryan-ietf@sleevi.com> Mon, 12 November 2018 16:15 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD35712F1AC for <spasm@ietfa.amsl.com>; Mon, 12 Nov 2018 08:15:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.589
X-Spam-Level:
X-Spam-Status: No, score=0.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qxqYJVYWbym9 for <spasm@ietfa.amsl.com>; Mon, 12 Nov 2018 08:15:46 -0800 (PST)
Received: from mail-it1-f175.google.com (mail-it1-f175.google.com [209.85.166.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2440D130E4D for <spasm@ietf.org>; Mon, 12 Nov 2018 08:15:46 -0800 (PST)
Received: by mail-it1-f175.google.com with SMTP id j79-v6so13959616itb.2 for <spasm@ietf.org>; Mon, 12 Nov 2018 08:15:46 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RCWu+D0Vjjunu+sIpHAw+LnIyVKYZXAojWvApQ1rlkw=; b=s7w6rAaEnMDmAieOb1xn3Xgm7nCNvS7jzchcdSF2YYUwlKFuOpUE/oPfGPLedZchvI PrrMPu8qKLsmIsIKO7d6LkER+GeZYU+agk+Yk+5AqD5w8Xap0SvVwYD3sEsyX3EJX8rs CKQv9QhFfAhMD8n0C0WmrmjXWcKxVLvGkaA4gJ1AP1gd65GxGmT6Frq+nUovbTlsDJhi v68IrTcAjbNMoUGuYMW84Lgfb+PniQl2J6AUWvpLBC5y5zQuPZ1UExUx+F8XijxD6LFu Dn6M47hL605TIEizzbmve7fuqaXkk8pPnTmvGWTbH8vLSa82SLaz9aYHh9fqfQseiReA TRqw==
X-Gm-Message-State: AGRZ1gI21rqkH10LfjjLfCibmpjNEC+dXvkA8mw/eO+Ufqez5zKNgaqf APSp0ByG9PyvbgGrFaqWe9mWmaA7
X-Google-Smtp-Source: AJdET5d1HuBWyTOI+/Ec4q8vRlS14yDCtinbBZ+lm9cAEBdFwa0v1Jj5VgzGkc/c70bgkicS7eShTg==
X-Received: by 2002:a24:2ec7:: with SMTP id i190-v6mr248633ita.89.1542039344710; Mon, 12 Nov 2018 08:15:44 -0800 (PST)
Received: from mail-it1-f182.google.com (mail-it1-f182.google.com. [209.85.166.182]) by smtp.gmail.com with ESMTPSA id z186-v6sm4308690itd.43.2018.11.12.08.15.43 for <spasm@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Nov 2018 08:15:44 -0800 (PST)
Received: by mail-it1-f182.google.com with SMTP id k206-v6so13417314ite.0 for <spasm@ietf.org>; Mon, 12 Nov 2018 08:15:43 -0800 (PST)
X-Received: by 2002:a02:8a69:: with SMTP id e38mr1332324jal.81.1542039343500; Mon, 12 Nov 2018 08:15:43 -0800 (PST)
MIME-Version: 1.0
References: <3653FE62-CD11-47D1-A9DB-5C6FF4AD8498@vigilsec.com> <CAMfhd9WiqpH96UVTOxmeu50yw5N0ACtxk+5X3dax7tnT_+wpbQ@mail.gmail.com> <BN6PR14MB1106B0554634CADF97A3465783C10@BN6PR14MB1106.namprd14.prod.outlook.com> <CAErg=HE33Vfd8xVDFAi9Zf=Kfgmop18oyY3Qwg9GcpZTHGCkJg@mail.gmail.com> <BN6PR14MB11065CA3D3DA75CF3003096183C10@BN6PR14MB1106.namprd14.prod.outlook.com>
In-Reply-To: <BN6PR14MB11065CA3D3DA75CF3003096183C10@BN6PR14MB1106.namprd14.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Mon, 12 Nov 2018 11:15:31 -0500
X-Gmail-Original-Message-ID: <CAErg=HFQNVETqtRkzV2gbbzeek-+1vL=OVeey9BhH56a3VK+ow@mail.gmail.com>
Message-ID: <CAErg=HFQNVETqtRkzV2gbbzeek-+1vL=OVeey9BhH56a3VK+ow@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, Russ Housley <housley@vigilsec.com>, SPASM <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004c9333057a7a031a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/YtR5JlTZujgsGSsiZu_frUGUXlg>
Subject: Re: [lamps] Proposed addition of hash-based signature algorithms for certificates to the LAMPS charter
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2018 16:15:49 -0000
Tim, I find the reply approach fairly unhelpful. Perhaps you could reply to specific statements in my message, rather than directing them to me personally. I made several statements in the previous message, and your statement "Most people disagree with you" provides little insight into what you take umbrage with. Such thoughtful replies on the substance, rather than the person, also helps make sure that concerns are addressed; for example, given that you have not elaborated on the CT argument, it's difficult for others to make sense of that reference. As I'm certain we both want to ensure a productive discussion, chair hat or otherwise, understanding the substance of your past arguments and current statements provides much more value than the quick and unfortunately too brief replies. On Mon, Nov 12, 2018 at 11:06 AM Tim Hollebeek <tim.hollebeek@digicert.com> wrote: > Most people disagree with you, including NIST. > > > > Another example: > > > > http://www.pqsignatures.org/index/hbs.html > > > > “While the security of other post-quantum cryptographic schemes like > lattice-based ones is still object to further research, hash-based > signatures are well understood.” > > > > Second, hash-based signatures have already been standardized by IETF, > while stateless schemes have not. > > > > -Tim > > > > > > *From:* Ryan Sleevi <ryan-ietf@sleevi.com> > *Sent:* Monday, November 12, 2018 7:47 AM > *To:* Tim Hollebeek <tim.hollebeek@digicert.com> > *Cc:* Russ Housley <housley@vigilsec.com>; SPASM <spasm@ietf.org> > *Subject:* Re: [lamps] Proposed addition of hash-based signature > algorithms for certificates to the LAMPS charter > > > > > > > > On Mon, Nov 12, 2018 at 9:35 AM Tim Hollebeek <tim.hollebeek@digicert.com> > wrote: > > (chair hat off) > > > > Reconstituting a CT log server from a backup is similarly catastrophic. > > > > Could you elaborate on why you believe that’s relevant? I have some > suspicions, but before I point out the flaws in an argument you may not be > making, it seems useful to understand exactly what connection you see > between that and a discussion of certificate signing algorithms. > > > > The risk you note is certainly something that should be carefully > addressed in the draft, but I think throwing stateful signatures out of > IETF entirely because of it is a bit of an overreaction. > > > > That’s fairly dismissive, even if couched in “a bit”. Do you disagree that > the stateless signatures offer equivalent security and with better > usability than stateful signatures - something that other WGs have been > prioritizing or requiring of their work product for half a decade now? What > makes this WG unique? > > > > > > -Tim > > > > *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of *Adam Langley > *Sent:* Thursday, November 8, 2018 12:42 PM > *To:* Russ Housley <housley@vigilsec.com> > *Cc:* SPASM <spasm@ietf.org> > *Subject:* Re: [lamps] Proposed addition of hash-based signature > algorithms for certificates to the LAMPS charter > > > > On Tue, Nov 6, 2018 at 7:51 PM Russ Housley <housley@vigilsec.com> wrote: > > The SECDISPATCH WG met on Tuesday afternoon, and they made this > recommendation: > > > draft-vangeest-x509-hash-sigs-01 -- re-charter LAMPS WG to accept this > draft > > Three questions: > > 1) Do you support the addition of this work to the LAMPS charter? > > > > No: > > > > The signature schemes in the draft are stateful and sudden-death: the > penalty for mishandling the state is huge. This contrasts with every > signature scheme ever (I believe) deployed and thus with every current > process. For example, reconstituting an HSM from smartcards would be a > fatal error with such a scheme. > > > > These schemes hedge against a valid risk, but at the cost of introducing a > much larger one. > > > > The contexts in which stateful & sudden-death signatures are plausible are > so specific and controlled that standisation in X.509 would be immaterial > to them—they are not multi-lateral enough that whether something has an RFC > or not matters. On the other hand, standisation implicitly hints that the > thing being standardised is somewhat reasonable. So, on balance, I don't > think the integration of stateful schemes into formats and protocols is a > suitable subject for the IETF. > > > > > > AGL > > -- > > Adam Langley agl@imperialviolet.org https://www.imperialviolet.org > <https://clicktime.symantec.com/a/1/dyI47pNUwzjnKlpg5udkPYVvjyqwzB1mpFy1Reomrlc=?d=k6708s9Yv76k4u3DteWeNyNOB5qXm722T3vthjyGAq-vZUunB52jcSXFBqPSaPV8clB2U6v9LdUA6qqUDEFXMYI2EYb10gQzgWPHgg5zy5YButabWcD3uM8cv3SS8WaF7oL89L6mk3K41RNvexdilfSE8we0zrFulaYBg2_vzWrKDFI5g5dee2LGJJlYgIZFkBjm-r89vLH_9UZes9qNh6nvM8fitYtAbTW2X5SpXcDwEupqziQfEdp0AUp_ZWRio7Zg7IELEKymOt_OAir1EM4YDzXS4k-Q4m7TgUOxSg1SkUi7eLnoMN0B8TxjhQu_6ALXBwIBi1vOPxj0tNIU-KMvm7z1yOvxSgM25di33PoRVxKwORl2mjWtpVF-7uUOAdyM5-ER_1F9I-IE9i-SHiLiLSfIMGOrOICyk_9pUEGrNDgrLfB_btIgsPekbVALCeAJo3KjSW2Lfa0z5wAuXFR1Kf4KfMUYxLAbsxnsdaif&u=https%3A%2F%2Fwww.imperialviolet.org> > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm > <https://clicktime.symantec.com/a/1/oOomiZEcGux8HmqHiFlNh-Bhr7iH6WnkP2UWmAx89wU=?d=k6708s9Yv76k4u3DteWeNyNOB5qXm722T3vthjyGAq-vZUunB52jcSXFBqPSaPV8clB2U6v9LdUA6qqUDEFXMYI2EYb10gQzgWPHgg5zy5YButabWcD3uM8cv3SS8WaF7oL89L6mk3K41RNvexdilfSE8we0zrFulaYBg2_vzWrKDFI5g5dee2LGJJlYgIZFkBjm-r89vLH_9UZes9qNh6nvM8fitYtAbTW2X5SpXcDwEupqziQfEdp0AUp_ZWRio7Zg7IELEKymOt_OAir1EM4YDzXS4k-Q4m7TgUOxSg1SkUi7eLnoMN0B8TxjhQu_6ALXBwIBi1vOPxj0tNIU-KMvm7z1yOvxSgM25di33PoRVxKwORl2mjWtpVF-7uUOAdyM5-ER_1F9I-IE9i-SHiLiLSfIMGOrOICyk_9pUEGrNDgrLfB_btIgsPekbVALCeAJo3KjSW2Lfa0z5wAuXFR1Kf4KfMUYxLAbsxnsdaif&u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm> >
- [lamps] Proposed addition of hash-based signature… Russ Housley
- Re: [lamps] Proposed addition of hash-based signa… Salz, Rich
- Re: [lamps] Proposed addition of hash-based signa… Yoav Nir
- Re: [lamps] Proposed addition of hash-based signa… Tim Hollebeek
- Re: [lamps] Proposed addition of hash-based signa… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed addition of hash-based signa… Daniel Van Geest
- Re: [lamps] Proposed addition of hash-based signa… Dr. Pala
- Re: [lamps] Proposed addition of hash-based signa… Adam Langley
- Re: [lamps] Proposed addition of hash-based signa… Dr. Pala
- Re: [lamps] Proposed addition of hash-based signa… Adam Langley
- Re: [lamps] Proposed addition of hash-based signa… Tim Hollebeek
- Re: [lamps] Proposed addition of hash-based signa… Ryan Sleevi
- Re: [lamps] Proposed addition of hash-based signa… Tim Hollebeek
- Re: [lamps] Proposed addition of hash-based signa… Ryan Sleevi
- Re: [lamps] Proposed addition of hash-based signa… Stephen Farrell
- Re: [lamps] Proposed addition of hash-based signa… Daniel Van Geest
- Re: [lamps] Proposed addition of hash-based signa… Adam Langley
- Re: [lamps] Proposed addition of hash-based signa… Benjamin Kaduk
- Re: [lamps] Proposed addition of hash-based signa… Adam Langley