Re: [lamps] Proposed recharter text

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Wed, 17 February 2021 04:01 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAEF03A1451 for <spasm@ietfa.amsl.com>; Tue, 16 Feb 2021 20:01:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=XX9EJXi2; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=QZJV4Bdq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v4Z83zhhlNo8 for <spasm@ietfa.amsl.com>; Tue, 16 Feb 2021 20:01:09 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C6AD3A144F for <spasm@ietf.org>; Tue, 16 Feb 2021 20:01:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11664; q=dns/txt; s=iport; t=1613534469; x=1614744069; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=vDQTrRzVw6q+fyu86cINd6ZTJUw8zj51MRAiZR0asLs=; b=XX9EJXi2qSi6rfnfBFHkA48HH+XZUWQB8F5zZf7qp/Ffd8BNKEXs0KNS jyAgBOwFa+2OUSbEf8EWSYeVBp6F73dQCCAtQfDN2Uer3xZPtY14Jl+7R BLgUISdflSUMzTR4uxA+nMppftnmA8+cb11MiuFfWmTV3XNJaJfyHKQ4A A=;
X-Files: smime.p7s : 4024
X-IPAS-Result: A0CWCAAOlCxg/4QNJK1iHQEBAQEJARIBBQUBQIFPgVMjLgd2LC42MQqHfwOOBwOBBY4SigaBQoERA1QEBwEBAQoDAQEdCwoCBAEBhE0CggkCJTgTAgMBAQEDAgMBAQEBBQEBAQIBBgRxhWENhkQBAQEEAQE+AQEsDAsEAgEIEQQBAS8CJQsdCAIEARIIBoJjgX5XAx8PAQ6ibQKKJXSBNIMEAQEGhRgYggsHAwaBOIFTgSOGWINyJhyBQUGBEUOCIjU+gl0BAYEhCQELBgIBIoNIgiuBWC5DEC8mAQMGFzYUOwkDPRwbBAECA00FGgIeD490V4wGnEkKgnqEZYJqlF6DMZ98hk2IIYVMggifdAIEAgQFAg4BAQaBbCNncHAVO4JpUBcCDY4fg3GFFIVFczcCBgoBAQMJfIhTKoELAYEOAQE
IronPort-PHdr: 9a23:6DzLxxaBFJG0ksXDT1HODaT/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el21QWRD5va5PNAkOfd9avnXD9I7ZWAtSUEd5pBH18AhN4NlgMtSMiCFQXgLfHsYiB7eaYKVFJs83yhd0QAHsH4ag7Mo3Kz6SUfEVP0Mg8mbujwE5TZ2sKw0e368pbPYgJO0Ty6Z746LBi/oQjL8McMho43IacqwRyPqXxNKOk=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,184,1610409600"; d="p7s'?scan'208";a="648032660"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Feb 2021 04:01:08 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 11H418WH015522 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 17 Feb 2021 04:01:08 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 16 Feb 2021 22:01:08 -0600
Received: from xfe-rcd-003.cisco.com (173.37.227.251) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 16 Feb 2021 22:01:07 -0600
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-003.cisco.com (173.37.227.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Tue, 16 Feb 2021 22:01:07 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Bbt6FjtY2R09DzYijzIr3VSmgSpkHWReKWzUcfIn1HMTaqyzPs+jLypstOjwk+Vg8NGqso7KEPVXEITWvoKo5nIeahLnkdlxQHFqtgllav4B23bQX1ug8w/cILF/N78wQ4EL/kBw5ByTBGWK2kPC2pTT7YkDuEyibZc/Cdpf37DiV1bn/hfc5fAzrbIbjvggshhQLqSDMCGzH377WetDHVLBeJUjyFgHDSQe7rktcPLELn0Y+y3Ed/isotgWkrA/JEeaEM2eIF760lIPUx9mhth1TIz020fWfIp0CzTXVwj6O/UprHHLAVIdwIXGSPGC9cpCyf71JP5iNzR/D5lqfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dc9XbvodaaUOVWSfuvgKAZOFlXvalCMZVAyA89sG1Zo=; b=ja86JTsVr5nxAYfAjZ99aGfe8vZxEOKvnkaRQ6mviCZkFufLeUhdjc/IZVebD1+PqCP0h7RfW1mf1w3SnUswqAyEsylB1qsLZlM/sahzi2PhRKolx0OYS+w5U99+pfuHx2SZRN+4Cj3WIgIZY2LJIM7t607YPY/zWR4tFVdlv1EooJMZ34Vm+Qi6WPyi1ydJ36u8L/X6pp7KRYEKh6u1YJhLoQeXC6u+CGtWUQ5DpEW1i+UXEDCqrjtmzfdGzcczmaFLTxYnW8I+5uqenVD/2g8vW1zJM3joh+EGCewrXAmiS3SKZ8mXvfdDh1mcw9DDrmbfsQ786CLrrOwj6vY3Og==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dc9XbvodaaUOVWSfuvgKAZOFlXvalCMZVAyA89sG1Zo=; b=QZJV4BdqCQrFGkq5BnWKyrR14i0X+9MipxrjY3a0eQhLJwLuNpXfJJqZNdgrbXtrJEw8GcHgMqX0qqEZ77HkicJYMsdksXI2TCA+TiBXeAanMwkzTloGJAtOdXLe1iIIOnQV0ASwIZPiZDhSzUqF1JDBH0soIJ2Fi7e7Ft8At4g=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN6PR11MB3876.namprd11.prod.outlook.com (2603:10b6:405:77::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.24; Wed, 17 Feb 2021 04:01:06 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::d835:66a9:f60c:3567]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::d835:66a9:f60c:3567%5]) with mapi id 15.20.3846.039; Wed, 17 Feb 2021 04:01:06 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] Proposed recharter text
Thread-Index: AQHW/+qA3mPsDtgkDUix/7Da0AMtLqpbwtgA
Date: Wed, 17 Feb 2021 04:01:05 +0000
Message-ID: <BN7PR11MB254762EDB050588E65B423B2C9869@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <DM6PR11MB43808FA7D74229A5997965649FBA9@DM6PR11MB4380.namprd11.prod.outlook.com> <9D01B155-6BB8-4438-8FAA-149686B69B64@vigilsec.com>
In-Reply-To: <9D01B155-6BB8-4438-8FAA-149686B69B64@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [68.93.142.48]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c9722482-d242-4a82-2575-08d8d2f8a681
x-ms-traffictypediagnostic: BN6PR11MB3876:
x-microsoft-antispam-prvs: <BN6PR11MB3876612C7917380A5AC2A6D7C9869@BN6PR11MB3876.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0SWSUX2BhGwDP5zZE5aMqPmTPHPUIYvKUEdTHdHykVkFYkbZuyHB2dLUKOjeSYyUzoUxtBJ1Bswt8qicK3VCXR65QyhpOs2+DWt0JQc7A0Jh/skogHDFnCJAHaDWQwklKQNJy0XrBteDFQ1ADuOTNkyAkEtRlzzTP8nupK7deTzON1KWBBJRENsQCxdqwsUQu/rfgTg8zHQ8Hx8rxPJHRAvXxRIuP2U4fmp3qFroSVwOfLg1kVS02967rBWgouTTIhz+rCG+tT3REb7ugmjmNDph1TcliEzNcbcYIESaByVnamFREStpWis9ST1ir+vjLl0wZvp0UIz5Au9+3pyjoTy+hdEHOIIa+BLRIhAkdSMOywLccFRr87o7xunNANQer4AnyJvlQeAG8n9XyAcqXSHOEiguMMGSfjtfoLtVHTE98BRismEqnQ8oxLJ0P80jFMd9COwueIJ9WtIC/lH19sbCCXBu/x9IXzMgtIT1MBjmXI6igJaH0j9mqOUMU355/CAE1OdNpm6gxJtMCVSjxqPoPm72Qx35CyVstWZi6QkhfTF99+eqnnhVG32aQWjRbo3w12b4n5g9nY5I453mIaKeKXTnATYC6WP2ERo2ZSo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(376002)(346002)(39860400002)(366004)(396003)(83380400001)(71200400001)(99936003)(55016002)(2906002)(52536014)(6506007)(64756008)(478600001)(316002)(8676002)(76116006)(53546011)(186003)(66476007)(7696005)(66616009)(86362001)(8936002)(66446008)(33656002)(66574015)(5660300002)(9686003)(110136005)(966005)(66556008)(66946007)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 18t7RFQ0w7JnyJMF1H4gzWazzReQMohw5tyLR67j3+XppGHdIZ/Krvu3rG9AC2AtEgo8Iabi6ohdQgZ3Ih9Gx02yqCTYX+FBNoWg6LniI7ECP0M7YdHCsUVl3CoDK5rrwX2Gea986GxJuWMb2WBJEdhSNUO6XKgcFdFgjbwYVXzBkHSam8DLVnDcVF/aLvriKovkYfVw6G618R1aK1VYAOj50qp4lteYNuw+NxVcPQkK/LY0uWyJZD2WXfFwXn+0V8BadFXiq7QhcYo8LbGY6Zj8PAYHDn6J1DlnMhkX0X9CeF3YQr/TPBaSQQd4fbZOO3F3mNlyEsZzN6Ps4aSerAn0WVz96nxusDc22TD1lueQ9A/bFFM3XvCY2PoByQB3RGt/1ILoswzdW2kX+5MfHX9+Q4UD8at0lbXWSjPSaPu1rOIOzp/37oBR1ChHfdvI2PynR3d+ns5pKCUboLPh8atUImr8U7AsxMj6ej4rsDT0kwh7h4aAOBNJYcmcCtvtSfYz54mOKhec7cRhRrjW10r+Rx7AU1CpLO1UxGBCtA8Z4J5/VJGn5RVwvpA00XWGGJsJPorczfoZ8K7is7trH9fW85BfxvitXYjlx45mGMZPKumr7dkIZRJ0txczj1mIZGMpFf/F88AyxJSKtWjnjNoQ+FnqhBOH5of3YD3ZX9C5MtQicw9U/D7e8CTeyYpfdFpM3eYTEbM8df367XIla1vfk4Q7pxu58Y8nHyOct5YzSLbo0/p8QYeny7Ui4I+Jsqt00jdcnBoe8SGqNtFVdixEqKpCgl0pat+ga2J3iGxJTsvHKLK2YC+XoZKFqVuUl6DcginMxPYk8s+ZuLzPKWxIearue2vEDaF5RHe6AR9EIn/sTG1MtxI2GkEMZ6GogU6u+8IEmb7yNLMGiQ/fF3vJXhi2o66A8BQ9xEahEsRrPTc1ct0OCq2ZPGwI+3urk3ktG9h+V4ObrmRUwIE6ZH1Tme4N3u2epwh6JONKiVdejaI8j6NTU8+99pAVsJNigVppjbpvcuJk2dW8qHlC3l4r8PspZSWZ9EoJDpnX0pgVf0hRTbWMr8R5v75C+11lWcR9Qv/rEhyi4yfaXrRALgOhh+xvdmC33hZ7olkRiVQWnFE80rrxSGDwFrolRnJ9GuhxLocIT9kOCVKsKF1smQcRSF10FAN/spJ8X/2QsodriTGXVGehrY6HSDco0H743762k2BOM1y4kMc6+9bL5KIIdA/nXj/cv1vjxb8aTvrkbKBFAycyLcMmcSGIBC7McghzyUhr6O/dvPettRMDoRWdeRvvNDH/TZg9Je/LJagrdbIBjmBr5uwsaLnvqu/n
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0005_01D704B7.9A25BE10"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c9722482-d242-4a82-2575-08d8d2f8a681
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Feb 2021 04:01:05.9189 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8Lm+YL2Zl1rBK391sR2SGOyLEA/E6c13dvNmXwmenwEyisXsCgbew5gdibjcmqm4gdQsPOt0V1+5GS6a1oJMXg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB3876
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_ds9s3iK9C_cfLHKGW85zkBwrD4>
Subject: Re: [lamps] Proposed recharter text
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 04:01:12 -0000

I don't think 5a should be added in the LAMPS charter at this time. 
It is too early. And besides, draft-ietf-tls-semistatic-dh does the same
thing with classical (EC)DH keys in the leaf cert and it is worked in the
TLS WG.


-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Wednesday, February 10, 2021 3:22 PM
To: LAMPS <spasm@ietf.org>
Subject: [lamps] Proposed recharter text

I propose the attached recharter text.

Tasks 1-3 are unchanged from the current charter,

Task 4 is a slightly edited version of the text proposed by DKG after IETF
109.

Task 5 is the text that came out of the discussion that followed the virtual
interim at the end of last month.

Task 6 was raised in the discussion that followed the virtual interim at the
end of last month.  In my view, it is too early to work on advancement of
RFC 8550 and RFC 8551, but putting it in the charter now will allow us to
tackle them when they are well deployed.

Russ

= = = = = = = =

The PKIX and S/MIME Working Groups have been closed for some time. Some
updates have been proposed to the X.509 certificate documents produced by
the PKIX Working Group and the electronic mail security documents produced
by the S/MIME Working Group.

The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working Group
is chartered to make updates where there is a known constituency interested
in real deployment and there is at least one sufficiently well specified
approach to the update so that the working group can sensibly evaluate
whether to adopt a proposal.

The LAMPS WG is now tackling these topics:

1. Specify the use of short-lived X.509 certificates for which no revocation
information is made available by the Certification Authority.
Short-lived certificates have a lifespan that is shorter than the time
needed to detect, report, and distribute revocation information.  As a
result, revoking short-lived certificates is unnecessary and pointless.

2. Update the specification for the cryptographic protection of email
headers -- both for signatures and encryption -- to improve the
implementation situation with respect to privacy, security, usability and
interoperability in cryptographically-protected electronic mail.
Most current implementations of cryptographically-protected electronic mail
protect only the body of the message, which leaves significant room for
attacks against otherwise-protected messages.

3. The Certificate Management Protocol (CMP) is specified in RFC 4210, and
it offers a vast range of certificate management options.  CMP is currently
being used in many different industrial environments, but it needs to be
tailored to the specific needs of such machine-to-machine scenarios and
communication among PKI management entities.  The LAMPS WG will develop a
"lightweight" profile of CMP to more efficiently support of these
environments and better facilitate interoperable implementation, while
preserving cryptographic algorithm agility.  In addition, necessary updates
and clarifications to CMP will be specified in a separate document.  This
work will be coordinated with the LWIG WG.

4. Provide concrete guidance for implementers of email user agents to
promote interoperability of end-to-end cryptographic protection of email
messages.  This may include guidance about the generation, interpretation,
and handling of protected messages; management of the relevant certificates;
documentation of how to avoid common failure modes; strategies for
deployment in a mixed environment; as well as test vectors and examples that
can be used by implementers and interoperability testing.  The resulting
robust consensus among email user agent implementers is expected to provide
more usable and useful cryptographic security for email users.

5. Recent progress in the development of quantum computers pose a threat to
widely deployed public key algorithms.  As a result, there is a need to
prepare for a day when cryptosystems such as RSA, Diffie-Hellman, ECDSA,
ECDH, and EdDSA cannot be depended upon.  As a result, there are efforts to
develop standards for post-quantum cryptosystem (PQC) algorithms that that
will be secure if large-scale quantum computers are ever developed.

a. Specify the use of PQC public key algorithms with the PKIX certificates
and the Cryptographic Message Syntax (CMS).

b. Develop specifications to facilitate a lengthy transition from today's
public key algorithms to PQC public key algorithms.  Unlike previous
algorithm transitions, time will be needed before there is full confidence
in the PQC public key algorithms.  Therefore, transition mechanisms that
combine traditional algorithms with PQC algorithms will be needed for
"hybrid key establishment" and "dual signatures".  NIST defines "hybrid key
establishment" as any key establishment scheme that is a combination of two
or more components that are themselves cryptographic key-establishment
schemes.  NIST defines "dual signatures" as any signature scheme that
consists of two or more signatures on a common message.  The specifications
developed will enable PKIX and S/MIME protocols to support hybrid key
establishment and dual signature mechanisms.

6. Progress RFC 5280, RFC 6960, RFC 8550, and RFC 8551 to Internet Standard
status.

In addition, the LAMPS WG may investigate other updates to documents
produced by the PKIX and S/MIME WG. The LAMPS WG may produce clarifications
where needed, but the LAMPS WG shall not adopt anything beyond
clarifications without rechartering.

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm