IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] SLH-DSA in CMS/X.509

"Kousidis, Stavros" <stavros.kousidis@bsi.bund.de> Fri, 16 February 2024 06:48 UTC

Return-Path: <stavros.kousidis@bsi.bund.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB351C151083; Thu, 15 Feb 2024 22:48:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=bsi.bund.de header.b="R6/3RIrN"; dkim=pass (2048-bit key) header.d=bsi.bund.de header.b="wZgKjuB6"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phbQ1KvD603F; Thu, 15 Feb 2024 22:48:15 -0800 (PST)
Received: from m2-bn.bund.de (m2-bn.bund.de [77.87.228.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02848C14F5E6; Thu, 15 Feb 2024 22:48:14 -0800 (PST)
Received: from m2-bn.bund.de (localhost [127.0.0.1]) by m2-bn.bund.de (Postfix) with ESMTP id A80CD7296D6; Fri, 16 Feb 2024 07:48:11 +0100 (CET)
Received: (from localhost) by m2-bn.bund.de (MSCAN) id 4/m2-bn.bund.de/smtp-gw/mscan; Fri Feb 16 07:48:11 2024
X-NdB-Source: NdB
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-ed25519; t=1708066082; bh=mUJTfClC8uw5TSbdfPmXoRUw9zdz5D1wiK69wD+8+SM=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: MIME-Version:Autocrypt:Cc:Content-Transfer-Encoding:Content-Type: Date:From:In-Reply-To:Mime-Version:Openpgp:References:Reply-To: Resent-To:Sender:Subject:To; b=R6/3RIrNM7VYzFG1NgDMwAj+qKl9VN95+Z2x7ngQliKHB/85kNdfiDu/ieq3ZdErQ nXm2+3F2yrywCU6c9JQCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-rsa; t=1708066082; bh=mUJTfClC8uw5TSbdfPmXoRUw9zdz5D1wiK69wD+8+SM=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: MIME-Version:Autocrypt:Cc:Content-Transfer-Encoding:Content-Type: Date:From:In-Reply-To:Mime-Version:Openpgp:References:Reply-To: Resent-To:Sender:Subject:To; b=wZgKjuB625y0I8Tb1b0b22ziKXXvyvsziMZTLend/z2Lr7u2WePpG8zoJBeKW9tz/ YfF8cpK0YR02aw4naZzF/RzasoMpg6jk8hyOkHsBbpPX6G334Q0tomeDB9nLmSPy75 chusWuv8B3/sK1w5K0VoIj1lQ4IiDFJr2juRf+y204hHj8LbaneZ0UOkX+JFLvMJ3I tjrZ+t9utKs40E6VTLE3j9zix76wgJxOn0AAylGWdAY+li3xBa2vgcGuS8Asr4eMRz Hh/J1WWQmWV+dHWYpgRLoUPhHlhXYPf+qc7Kd4hKmzV6vDl53bmy7Of6AW1d3v13Rq aExZtBjOEK7ew==
X-P350-Id: 2e78291249b0ee6a
X-Virus-Scanned: amavisd-new at bsi.bund.de
From: "Kousidis, Stavros" <stavros.kousidis@bsi.bund.de>
To: Ira McDonald <blueroofmusic@gmail.com>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Daniel Van Geest <daniel.vangeest.ietf@gmail.com>
CC: "Kampanakis, Panos" <kpanos@amazon.com>, "draft-ietf-lamps-dilithium-certificates@ietf.org" <draft-ietf-lamps-dilithium-certificates@ietf.org>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] SLH-DSA in CMS/X.509
Thread-Index: AQHaYEndNqHN3gW/VEWbyTnt/HBe8rEMfZ+g
Date: Fri, 16 Feb 2024 06:47:46 +0000
Message-ID: <c31904e54df242ecba7bb212e4e140fa@bsi.bund.de>
References: <CH0PR11MB5739AF8408E1669FB9EF912A9F4F2@CH0PR11MB5739.namprd11.prod.outlook.com> <48348cdba84f4d93b9a1f67838f74201@amazon.com> <01a401da600c$3941d260$abc57720$@gmail.com> <CH0PR11MB573971D394628EEE4AC60E599F4D2@CH0PR11MB5739.namprd11.prod.outlook.com> <CAN40gSvUJz7AkQN83bXcpMSP3xsDjWQkkJS57pNyfOPoqvfeyQ@mail.gmail.com>
In-Reply-To: <CAN40gSvUJz7AkQN83bXcpMSP3xsDjWQkkJS57pNyfOPoqvfeyQ@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-esetresult: clean, is OK
x-esetid: 37303A29B8016555607664
Content-Type: multipart/alternative; boundary="_000_c31904e54df242ecba7bb212e4e140fabsibundde_"
MIME-Version: 1.0
X-Rusd: domwl, Pass through domain bsi.bund.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_BEKgQK7Ao7ddOPdnFEsvYk7SCo>
Subject: Re: [lamps] [EXTERNAL] SLH-DSA in CMS/X.509
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2024 06:48:21 -0000

Hi,

Kaveh, Stefan and I are actually in the process of splitting draft-gazdag-x509-hash-sigs in two, exactly as is being discussed here, i.e.

X.509: Algorithm Identifiers for HSS and XMSS (and XMSS^MT)
X.509: Algorithm Identifiers for SLH-DSA

I’ve updated and pushed draft-gazdag-x509-hash-sigs yesterday for one last time in order to fix a bug in the ASN.1 module noticed by Russ and then started the split.

If you go to the github org https://github.com/x509-hbs you will see three repos now


-          draft-gazdag-x509-hash-sigs (the current non-splitted version, we might keep it for historic reasons)

-          draft-x509-shbs (intended for HSS and XMSS, we focus our work on that currently)

-          draft-x509-slhdsa (intended for SLH-DSA, still identical to draft-gazdag-x509-hash-sigs, our next work item)

The split is not super-complex but we need some time doing and reviewing it carefully. For draft-x509-slhdsa we will try to keep the text aligned to draft-ietf-lamps-dilithium-certificates and use the encodings given in draft-ietf-lamps-cms-sphincs-plus.

We will announce the two new drafts on the mailing list once it is done (probably in the next few days/by the end of next week).

Best
Stavros



Von: Ira McDonald <blueroofmusic@gmail.com>
Gesendet: Donnerstag, 15. Februar 2024 19:13
An: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; Ira McDonald <blueroofmusic@gmail.com>
Cc: Daniel Van Geest <daniel.vangeest.ietf@gmail.com>; Kampanakis, Panos <kpanos@amazon.com>; draft-ietf-lamps-dilithium-certificates@ietf.org; LAMPS <spasm@ietf.org>
Betreff: Re: [lamps] [EXTERNAL] SLH-DSA in CMS/X.509

Hi,

I agree with Daniel and Mike that we should sort this out for SLH-DSA.  And I would prefer splitting
draft-gazdag-x509-hash-sigs in Stateless and Stateful HBS drafts.  In automotive security there is
a near-term need for Stateless HBS and Stateful ones are simply non-starters (i.e., they don't scale
for performance to firmware for 150 Electronic Control Units (ECUs) per vehicle in 100 million cars).

Cheers,
- Ira



On Thu, Feb 15, 2024 at 12:21 PM Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org<mailto:40entrust.com@dmarc.ietf.org>> wrote:
I support that we need to sort this out.

I have no preference for how it is sorted out (any of the options outlined by Dan seem fine to me).

---
Mike Ounsworth

From: Daniel Van Geest <daniel.vangeest.ietf@gmail.com<mailto:daniel.vangeest.ietf@gmail.com>>
Sent: Thursday, February 15, 2024 6:41 AM
To: 'Kampanakis, Panos' <kpanos@amazon.com<mailto:kpanos@amazon.com>>; Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>; draft-ietf-lamps-dilithium-certificates@ietf.org<mailto:draft-ietf-lamps-dilithium-certificates@ietf.org>
Cc: 'LAMPS' <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: [EXTERNAL] SLH-DSA in CMS/X.509

Forking from “Can ML-DSA be used in CMS” because it’s the same problem with a different subject. The question of separate drafts also applies to SLH-DSA. One line in draft-ietf-lamps-cms-sphincs-plus shouldn’t be sufficient
Forking from “Can ML-DSA be used in CMS” because it’s the same problem with a different subject.

The question of separate drafts also applies to SLH-DSA. One line in draft-ietf-lamps-cms-sphincs-plus shouldn’t be sufficient to say to the IETF world “And now you can use SLH-DSA in X.509!”.

draft-gazdag-x509-hash-sigs would do that work.  At 118, Stefan kindly asked for adoption and there weren’t any objections in the queue. But I haven’t seen a call for adoption on the list. There was also no opinion on splitting the draft (SLH-DSA and XMSS/HSS).  Since draft-ietf-lamps-cms-sphincs-plus is adopted, we should have something adopted at the X.509 level, whether it’s draft-gazdag-x509-hash-sigs or a split draft for just SLH-DSA.

Question for the chairs: Was there sufficient interest for adoption of draft-gazdag-x509-hash-sigs at 118, and it was just missed?

Question for the WG: Should draft-gazdag-x509-hash-sigs be split into SLH-DSA and Stateful HBS drafts? My opinion: draft-ietf-lamps-cms-sphincs-plus shows demand for SLH-DSA in IETF protocols. A separate SLH-DSA in X.509 draft would progress faster because it’s not weighed down by the concerns around stateful algorithms. If somehow draft-ietf-lamps-cms-sphincs-plus can progress without an associated X.509 draft I guess that’s okay too. If they should be split, I can spin up the SLH-DSA draft. It’ll be a lot of copy-paste, so if you think I’ll be copying your text and can help with that, let me know.

Daniel



From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Kampanakis, Panos
Sent: Wednesday, February 14, 2024 3:08 AM
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org<mailto:Mike.Ounsworth=40entrust.com@dmarc.ietf.org>>; draft-ietf-lamps-dilithium-certificates@ietf.org<mailto:draft-ietf-lamps-dilithium-certificates@ietf.org>
Cc: 'LAMPS' <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] Can ML-DSA be used in CMS?

Hi Mike,

We could consider doing all ML-DSA in CMS and X.509 in one draft, but personally I would rather we kept them separate like we did with SHAKEs in CMS (rfc8702) and X.509 (rfc8692) or with EdDSA in CMS and X.509. They are more straightforward for implementers that way.

We could change that if there was WG consensus.

Note that draft-ietf-lamps-cms-sphincs-plus mentions about SLH-DSA in CMS

“When this AlgorithmIdentifier appears in the SubjectPublicKeyInfo field of an X.509 certificate […]”

So, it includes how the SLH-DSA OID can be used in X.509 cert public keys as well, but it does not mention how to use the signatures.


From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Mike Ounsworth
Sent: Tuesday, February 13, 2024 8:37 AM
To: draft-ietf-lamps-dilithium-certificates@ietf.org<mailto:draft-ietf-lamps-dilithium-certificates@ietf.org>
Cc: 'LAMPS' <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: [EXTERNAL] [lamps] Can ML-DSA be used in CMS?


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


The answer obviously is Yes, but draft-ietf-lamps-dilithium-certificates does not actually say this.

I was reading a draft ICAO ePassport document yesterday that correctly points out that IETF has a draft for how to use ML-DSA into X.509 certificates, but no draft for how to use ML-DSA in CMS.

Authors of draft-ietf-lamps-dilithium-certificates, if you add a section “Signed-data Conventions” modelled after RFC8419, then I think that saves us from needing a whole second ML-DSA draft.

---
Mike Ounsworth
Software Security Architect, Entrust

_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email