IETF Logo Mail Archive

Re: [lamps] Composite Keys: Explicit vs Generic Algorithm Combinations

Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 07 December 2022 15:53 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38381C14F747; Wed, 7 Dec 2022 07:53:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.596
X-Spam-Level:
X-Spam-Status: No, score=-1.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_NOVOWEL=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CnzJk6VbmkTJ; Wed, 7 Dec 2022 07:53:42 -0800 (PST)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEDB0C14F74E; Wed, 7 Dec 2022 07:53:41 -0800 (PST)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7EZQ2R004920; Wed, 7 Dec 2022 09:53:39 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=H5sgA+PpWm8hZ136GP1kPCv66MUan7D7czm7mjR/pLE=; b=d/Q2ZSlyoD+roEfJk6WWwTm7XAg4IWcTADZ5TOX6jcgCmY2F1hbc6wDCD8BIXvc8lDeS Lax1dvBP3oAPyF+ceTZ+kcV03xrJ2ZeGBBMXkLsWdQB+1CChbnWRmKK4uPZkRkNMUiBf VQKcq4mZwq8qAvJfGEVGLa+Ed+I8cbucTu6k5rkdb7EbzPGMYsEiStvIphZZeeCiAZvG FjvpfIjkzPhgeKGMgvOuFuHuptaqpPla6vC5/cDh0W8J89dTq4E7FUQ7wyQKg6mwzZ4w h3kBqCYxrDaefFr5zpa3yK1JW0VjdA9dA6UWSpfFY7rUYCThm8FsJt66FG6upk9SR8bL wA==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2170.outbound.protection.outlook.com [104.47.56.170]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3m8417fk4r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 07 Dec 2022 09:53:39 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n9FMpcJF9Vam9bixLEOakLP3OVxSxEzBRzVdtp2I48eGP2luG8tUE/YOo0bObzXuOIBkTy8/1uiqOtUqeN1gCgKRnTUr47rDoTWZljVdrcgUgs4LyP1RcHf1fqZynAw2wWsx5Owox1mPentzB3f7oyAWl4rZy6bos53SszQ+iqylsPU7KN/WS/FQEuWJ0Ox3I+DmQhDBzr9hSNtX6ZYWqp6oopx5BmBLB79G1xEQtoCvGvf3v9++uJ5Kn1Q2ULMomMtWkQxAuuExnmUkqMkopRQjRDp2gDtLBedkEy2J5R/EMdDuVKuPeuN7d0WJqQzqOUbRNPhZwhQjamKImuKNWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=H5sgA+PpWm8hZ136GP1kPCv66MUan7D7czm7mjR/pLE=; b=oRiQq7kXL3gh338RffikrQiq9iyIbAls0jCHUTw2JBv6x8STZTEAmfuvYqSVkWNAlftXc8NeA8vW8BEGGr5lUq2ZTOTj/3Zc+tgtEv0X53d1SxHWLU5y1NYjb06zGrK9iHIsFe5pvBykdlYfEDwT0V7qdKy6lkoIXYCLhAbucNcm2DMRb8P+hKFlnDdfE2+Cy6CVPEHJCQMufZ0pm5RfxlaqCU1Ctt69tm4ZX2VvDmHoQ59IBais8RZ10F2WxXVJEb7NuWND43LV6202oWY3XhJc5mvIu4M0IiO7YOYdy8nBZqv/klUVpuobvABH0KQfmJGs4NGIKdRXuDpQERfoUA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by SN7PR11MB7539.namprd11.prod.outlook.com (2603:10b6:806:343::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Wed, 7 Dec 2022 15:53:34 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1%9]) with mapi id 15.20.5880.014; Wed, 7 Dec 2022 15:53:34 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "Klaußner, Jan" <Jan.Klaussner@d-trust.net>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: Composite Keys: Explicit vs Generic Algorithm Combinations
Thread-Index: AdkKTZ1S+d0ma3HzSlKs2WdSVxitLwABShiAAAARyEA=
Date: Wed, 07 Dec 2022 15:53:33 +0000
Message-ID: <CH0PR11MB5739F06F297D417CF4ECFF8E9F1A9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <079e8c2adeaf4bc49fde0de318cba758@d-trust.net> <CH0PR11MB57395CC8296DD24963C16BC39F1A9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57395CC8296DD24963C16BC39F1A9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|SN7PR11MB7539:EE_
x-ms-office365-filtering-correlation-id: 915e0013-909a-4d75-4859-08dad86b3218
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IwSh0QfMNT9MFI45g45+Pfo8Td9jvtjw+++sw6bxu8EDoqLJFH0oFEcN1W5reEmnRUOlOC/3TKP8eZf2BVlXN6hXOQGzgH8coBtieQ/IOS9x4LiGEct5hN3fpWtBU3KnrotQol9gaqNnVggQZvOID+uLjS4SqOBahsEtY/z+Q0CIM1PxGcy4UzTwwRhFpTVqDh+4OlwNIwE1Mzv1IKEjD2r8Kqz7JOVjRlJVgmh8aupercErGPYI/p2wwbbOm7qdC84WSNTW9t/NJ/u/+VlmPbJ9F7buhWEvnrc78cdEU2zW4dAY+nZ4gsgREuo+3Ynp/q8x5o3DaGXm+W7PwJ1Kg7qHpVwIwCmhOHfDBCxl0xu2XtXurvQrFDxJThj1wFTy5d51BbQ/U9A2rgitF+i81fEc3Qw64+62am/+TpKAEghjne0Zt7qfmTStgXHIr0QdElZQEVVVTpOvKf1m2U87Q/DCxvx14JbhFVx/Usv4Q5vv5gjJ03e+WIzSOHCOOai5UifLAqY4aFNC4Eix9QmTS0wc0Rld8i/hPnUa4GNnbiHRAKMhl/kmR1s5O14Tgd1yEOWnKxoyFsj/jqqdiaPkCYI25zIVh1qDs41qdi/HRoVrhTgo9sUA4U3gSCWpSdaf37N18Hs3ppr9xI/p95vI097+cJgBPwt8nY05eJfJdoUwDoXHf4Bq9RLQTcqPC3pXGLuPQ29KTkdpDg63SXBjr5kzp+OEj8z+jq22Gc5VVEc4JQcSMR0rJUj6v7FZyIyW
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(366004)(376002)(39860400002)(346002)(396003)(136003)(451199015)(66899015)(55016003)(66446008)(64756008)(122000001)(66556008)(66946007)(66476007)(33656002)(8676002)(38100700002)(478600001)(966005)(86362001)(2906002)(71200400001)(26005)(2940100002)(110136005)(186003)(38070700005)(83380400001)(6506007)(7696005)(76116006)(53546011)(9686003)(8936002)(5660300002)(66574015)(52536014)(41300700001)(316002)(41533002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7ev/SYvDLG6WBcDLYMSGrAzlpW1mV5NsObrDZKI/7IcvK87HQ+Z3XmB5rQZGklyuB9fYsxnDHNVNZ1WodIb0Ec4jZ6KnWlRUJxPnhMNqIJjhDAQI92jo45u8eh+GFhpRJUKAozpdi66APONn/VW5WFGB5mQ5IZhu5y04hUpE0mGuzx6h9L2vZ+ENLZ218dH/2VX2S+L83ruLg+wOBefbDRhG1TcGBC59PS1cghyPM2zbC/ovn43NHside9VEWFkNWwgVYNBv1QMm/7Py40/vPMN/yyChjAgwAuYrTLmH1OhFBsx+LW1y82PcKzUSiuGbEpshq32xQ9mFfek3GIVKxcRNpufowuVFf3UiFaqZUyPA/gNbaS/4KNGDhXBqKy9TDNLsHIz7/ArCyL57hVzYHbFausvtszMQGksDNtjyjiBYMWwG8f1mC486167fJlDD18eTBYDVLZaD2WFWpIx53kQBOHP07N59rRBa6rWK1pmTmAnxolD0OM/fxvOXk7CJHVIY+p74/nEsi7LmvzcbKTN8HBtUTMOZlsLu7VmmJEJIQSJZ8qTs+NNV9NLx+CDeAm8cj+pkutuXFMt5JsXtEXcEzhZ8opuBwMmoYnOcdGtLa7NjRsUtMpGL2xStUYjMz40Ao7CIptJG5UqeVwil7H0efNTE8AKkDJvrK6PKpEL0doV8lkBazhkMLmaFOLlCbm2225NIaqmNZm+CtbpqH9LZZTwDgyz4gxbeirg5y3hX/slsQtPSerdlr4yE9nBj1BkHhnMp+9qfGvOejUCbCvJOCXI+FC/AttBDMVq/VKkMvqQ8Hgrvvd339cfnA1NiGRIfi8zqvl2Vj8ApvZvaQ6xLdbAgT3xeNIAVShNuDaXctBbRrrXJOagSA/EpLy+yowUWpTf3BVA6rDEbkAhJBv1iyWDsuHKrjB+MW9YAGvdS9D5lcideZuXWHVnUQRkYDEQ5C3nQ6iiYkbxsqmBcu2ohNkty1a2INQ3JcTyQ9m8cQkhNYDjVSwIh3+IkwgoPbHZU1R/9q2HGEQxWqPwhiNS4ePJsrLDMLEW1E11iTYy86RlElZ1QerxUQh5dyKhsomzVR+Z4SHPZN5ISxcGGWV1W1hw/CuwzK0ZB1zs4F7Y7KImKr08QMLJywyuNHbaF8x1Ucx4JEKS2kq1TYd2tMukJxSIciqUrAta1vPEidB0wz0/TyFH0X7CmGvaRivdAb/ONZM3gebO7HLknM8KePlOZOi8mNmIBLPekbXKiv45n68qebzfYDEeAkHCDkqRTbGI0ARUX73FsmxpKJ7UFB5TGgfxJ9VkOmIGAB7OAzFp1M15tlZm1wMqdGL1uyxhkeBURv7GjJfOc4q3RyE8ZVMxTLEY0XSZlwuxbRGm9AwoW2UMxIkNPfiaOE81os8ZyJgJuWo2h3X39Ydz5mheVy4WSpQjnL9Jby5BvBSabRuG1iElue263i1tjnxqGOs94AyYRj2Yo72/z5zUjF9Ui8pE+QCllxgiPb5+MpCPSBpGfXu6YdLXLlw+xsVJ84z9tyRq+/VN9wwNvYfgjRchK0iXcEA/Zh+G1OyuG+1QUcskjCfdHc+erJM3h+AEyJQli
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 915e0013-909a-4d75-4859-08dad86b3218
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Dec 2022 15:53:33.9742 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +N6IxzRF7GAgKGWln0A+cPzTLEJXX2tJrr+bhO8saCviAYw51i8tJIaVZ5C58oyN4T6OQZtOmu/qN0PASV3RdFhQGhxBs4Ug+up3HDqDqUU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR11MB7539
X-Proofpoint-ORIG-GUID: q1tHj2osOfyerrHtieu037kPr5HHeDJP
X-Proofpoint-GUID: q1tHj2osOfyerrHtieu037kPr5HHeDJP
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_08,2022-12-07_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxlogscore=999 priorityscore=1501 mlxscore=0 spamscore=0 lowpriorityscore=0 adultscore=0 clxscore=1015 phishscore=0 bulkscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070137
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ZVZ40tPQg1wNACrXEggeYl5nLDw>
Subject: Re: [lamps] Composite Keys: Explicit vs Generic Algorithm Combinations
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Dec 2022 15:53:46 -0000

Oops, I didn't realize this was on-list. I'll add some more context.

I agree with Jan's Pros / Cons list, and from LAMPS 115 it seems like we have supporters of both Explicit and Generic. I feel like this debate will not have a satisfying conclusion because of the diverse set of uses of X.509.

We are preparing new versions of the composite drafts, and we are leaving Generic in as an optional-to-implement algorithm type. Unless there are strong objections to that, then I think we'll just leave it there.

---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Mike Ounsworth
Sent: December 7, 2022 9:45 AM
To: Klaußner, Jan <Jan.Klaussner@d-trust.net>; spasm@ietf.org
Subject: [EXTERNAL] Re: [lamps] Composite Keys: Explicit vs Generic Algorithm Combinations

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
Hi Jan,

I that list looks good to me!

---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Klaußner, Jan
Sent: December 7, 2022 9:07 AM
To: spasm@ietf.org
Subject: [EXTERNAL] [lamps] Composite Keys: Explicit vs Generic Algorithm Combinations

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
Dear all,

In the last meeting we agreed to carry the discussion about explicit vs generic definitions to the mailing list. I collected some of the Pro and Cons here for a start:

1) Explicit definition

Pro:
a) easy checking for algorithm support (for any possible combination only one OID must fit) b limited implementation choices
c) if the developer knows the effect of a combination, he only needs one OID for that combination - allows a simpler usage by application developers
d) PGP WG does it the same

Contra:
a) chosen algorithm combinations may not cover all use cases
b) new OID for each new combination -> limited agility, standardizing OIDs takes time, must be synchronized with new algorithm OIDs
c) explosion of combinations may lead to increased implementation efforts


2) Generic definition

Pro:
a) simple definition and implementation
b) one mechanism fits all use cases, e.g. also smartcards, VPN etc, so we do not need to foresee all use cases
c) better agility - switching component algorithms in combinations only requires the support of  the new algorithm in crypto-lib

Contra:
a) algorithm support check is harder (needs at least parsing of all component
keys/signatures)
b) Developers also need to know the component algorithms here (key size,
performance)


For myself I have a strong focus on cryptographic agility and am voting for the generic approach.

Looking forward to an interesting discussion

Jan Klaußner
Senior Product Architect
GF, GFL
------------------------------------------------------------------
D-Trust GmbH
Kommandantenstr. 15
10969 Berlin, Germany

M + 49 (0) 151 5600 1986
Jan.Klaussner@d-trust.net
Jan.Klaussner@bdr.de
https://urldefense.com/v3/__http://www.d-trust.net__;!!FJ-Y8qCqXTj2!YTUXWuF5Hdho4E4q4DyGGN7sVIt6JsqGcsNDti3cweeM_yYZMF9twyiBysv1jtT8BLbZAk0ql63dQxSGMSVpm0IH4MXLUGNWU_KGg4974A$ 

Part of the Bundesdruckerei Group

Head Office: Berlin
Commercial Register: AG Berlin-Charlottenburg. HRB 74346, VAT ID: DE
202620438
Board of Management: Dr. Kim Nguyen, Dr. Martin Riegel

The companies of the Bundesdruckerei Group are committed to protecting your personal data and they adhere strictly to the relevant rules of the General Data Protection Regulation and the Federal Data Protection Act. We are therefore informing you that personal data will be collected and may be stored as part of our electronic communications. This data processing is carried out exclusively for business purposes. You have the right to request information regarding your personal data stored by us. If you wish to do so, please contact: datenschutz@d-trust.net. More information about your rights and the contact details of our data protection officer can be found at:
https://urldefense.com/v3/__https://www.d-trust.net/privacy-policy.html__;!!FJ-Y8qCqXTj2!YTUXWuF5Hdho4E4q4DyGGN7sVIt6JsqGcsNDti3cweeM_yYZMF9twyiBysv1jtT8BLbZAk0ql63dQxSGMSVpm0IH4MXLUGNWU_LX7Z6c7Q$  .

This message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, we hereby give notice that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error, please delete the message and notify us immediately.


Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!YTUXWuF5Hdho4E4q4DyGGN7sVIt6JsqGcsNDti3cweeM_yYZMF9twyiBysv1jtT8BLbZAk0ql63dQxSGMSVpm0IH4MXLUGNWU_JUGv6gkQ$

v2.31.3 | Report a Bug | By Email | System Status