Re: [lamps] FYI: New Version Notification for draft-housley-lamps-cms-sphincs-plus-00.txt

"Kampanakis, Panos" <kpanos@amazon.com> Mon, 22 August 2022 13:53 UTC

Return-Path: <prvs=226813174=kpanos@amazon.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1567C1524B5 for <spasm@ietfa.amsl.com>; Mon, 22 Aug 2022 06:53:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.478
X-Spam-Level:
X-Spam-Status: No, score=-12.478 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V31uHggTfV_v for <spasm@ietfa.amsl.com>; Mon, 22 Aug 2022 06:53:37 -0700 (PDT)
Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECBF0C1524AA for <spasm@ietf.org>; Mon, 22 Aug 2022 06:53:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1661176417; x=1692712417; h=from:to:cc:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=d0NmMC10npvO8yLOlinqaimySNWGyW54uqc/xtX/Uhg=; b=eP/1ovBzYmRJnpFR9PYL19aInbRw1misgJUoHd2ctXxQWXSNvlknktkl 0TrHA5vI9BpwzQiZ+FFRI3I/k5KRskfJ7L67E/OhJgY0akOB30qwnBS/H H8kRY2mn2RIdvGA1Gb97W0fUG4OwUG3bR5B4j9mMrJyUm87Mzgx5N9JMo k=;
Thread-Topic: [lamps] FYI: New Version Notification for draft-housley-lamps-cms-sphincs-plus-00.txt
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-iad-1e-41c1ef8b.us-east-1.amazon.com) ([10.43.8.2]) by smtp-border-fw-6001.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Aug 2022 13:53:24 +0000
Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1e-41c1ef8b.us-east-1.amazon.com (Postfix) with ESMTPS id C8A78161BBF; Mon, 22 Aug 2022 13:53:22 +0000 (UTC)
Received: from EX19D001ANA003.ant.amazon.com (10.37.240.188) by EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS) id 15.0.1497.38; Mon, 22 Aug 2022 13:53:21 +0000
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX19D001ANA003.ant.amazon.com (10.37.240.188) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.12; Mon, 22 Aug 2022 13:53:21 +0000
Received: from EX19D001ANA001.ant.amazon.com ([fe80::6054:a5f0:5f79:c120]) by EX19D001ANA001.ant.amazon.com ([fe80::6054:a5f0:5f79:c120%5]) with mapi id 15.02.1118.012; Mon, 22 Aug 2022 13:53:21 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: Russ Housley <housley@vigilsec.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>
CC: LAMPS <spasm@ietf.org>
Thread-Index: AQHYtBOwgxmAZ10t7kamjzF8+e25jq25o44AgAFPZ8A=
Date: Mon, 22 Aug 2022 13:53:20 +0000
Message-ID: <a745cef901e045998c745b4f53d48902@amazon.com>
References: <166093755880.14050.354126874269583313@ietfa.amsl.com> <5B780BF2-A5AE-4B6E-AC19-E8BBDB60EB5C@vigilsec.com> <CH0PR11MB5739956DEAB4C7E4FB14A25B9F6C9@CH0PR11MB5739.namprd11.prod.outlook.com> <A9650706-D684-4000-800F-F9B4DB852E9D@vigilsec.com>
In-Reply-To: <A9650706-D684-4000-800F-F9B4DB852E9D@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.95.212.220]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/aPuYitVpgC7imxBmwM2awWJ3wTY>
Subject: Re: [lamps] FYI: New Version Notification for draft-housley-lamps-cms-sphincs-plus-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2022 13:53:41 -0000

Hi Mike, 

Addressing your "FIPS" comment #1. Indeed this is a typo or autocorrect somewhere. This should say FORS, not FIPS. Thx for catching it. 

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Sunday, August 21, 2022 1:46 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: LAMPS <spasm@ietf.org>
Subject: RE: [EXTERNAL][lamps] [EXTERNAL] FYI: New Version Notification for draft-housley-lamps-cms-sphincs-plus-00.txt

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Mike:

We just tried to put out a placeholder.  As you know, we do not want to get too far ahead of NIST, but we do want to create a home for the specifications that build upon the yet-to-be-published NIST standards.  We made some guesses that will need to be adjusted.

We expect to use the NIST assigned OIDs.  Regarding you comment 5, the LAMPS charter does not allow us to assign temporary OISs (because they never really go away.

Together, these points are the reason for the first paragraph of the I-D:

   NOTICE: This document will be adjusted to match the SPHINCS+
   specification that is published by NIST.  Until that happens, just
   about everything in this document is likely to change.

That said, the authors will look at each of the comments to see which ones are reasonable to address now.

Regarding comment number 7, we have seen many people get confused about this part of signed-data.  That is the reason for the reminder in a algorithm-specific document.  It came up in the review of Section 5 of RFC 8708, and the same text is used again here.

Regarding comment 8: Oops, the review by me and my co-authors missed that one...

Regarding comment 9: There are many ways to handle that situation, and this specification needs to warn about it, but it should not pick among the potential ways to handle it.  That said, it might be good to say something about the consequences of exceeding that limit.

Russ


> On Aug 19, 2022, at 5:35 PM, Mike Ounsworth <Mike.Ounsworth@entrust.com> wrote:
>
> I support this document. Here is my review:
>
>
> 1.
> Section 2: " The corresponding FIPS public keys are the leaves in k binary trees." Is that a typo? What does the Federal Information Processing Standards have to do with these leaf nodes?
>
> 2.
> The "WOTS+" acronym should probably be expanded.
>
> 3.
> The paragraph starting "A SPHINCS+ signature consists of..." is likely rather confusing to someone not already an expert in this. Perhaps some ascii art depicting both the subtree relationships, as well as showing which nodes are involved in a given signature would be illustrative?
>
>
> 4.
> The intro paragraph of section 3 says "The AlgorithmIdentifier for an SPHINCS+ public key uses *the* id-alg-sphincs-plus object identifier" ... emphasis on "*THE* id-alg-sphincs-plus OID", implying there's a single one, but in the ASN.1 definitions you have:
>
>   IDENTIFIER id-alg-sphincs-plus-128
>   IDENTIFIER id-alg-sphincs-plus-192
>   IDENTIFIER id-alg-sphincs-plus-256
>
> I assume the opening paragraph should read "... uses one of the id-alg-sphincs-plus-* object identifiers"?
>
>
> 5.
> I see the asn.1 module has the above OIDs as TBDs; I assume they will eventually cross-reference NIST-assigned OIDs?
>
> Can I request you stick in temporary OIDs for now for interoperable prototyping?
>
>
> 6.
>
>  "The SPHINCS+ public key value is an OCTET STRING.  (Should we say something more here about the size?)"
>
> I vote "No", but you should include an appendix with a PEM-encoded pub key, priv key, and signature over the string "The quick brown fox jumps over... you know what" (nod to OQS [footnote1]) for each security level; size can be inferred from the sample data.
>
> 7.
> Section 4:
>
>  "   IF (signed attributes are absent)
>      THEN SPHINCS+_Sign(content)
>      ELSE message-digest attribute = Hash(content);
>           SPHINCS+_Sign(DER(SignedAttributes)) "
>
> Naïve question: is this business of what string you're actually signing not already covered by the CMS spec? Seems a bit odd to have protocol logic in an algorithm spec.
>
>
> 8.
> Section 5:
>
>  " Along with the private key, the implementation MUST keep track of which leaf nodes in the tree have been used.  Loss of integrity of this tracking data can cause a one-time key to be used more than once.  As a result, when a private key and the tracking data are stored on non-volatile media ..."
>
>
> Uhh, that seems copy/pasted from a stateful HBS draft, isn't the whole point of SPHICS+ that that not be the case?
>
>
> 9.
> Section 5:
>
>   "A SPHINCS+ tree MUST NOT be used for more than 2^64 signing operations."
>
> This sentence probably needs expanding; horizontally-scaled instances using copies of the same keys, or backup-and-restore scenarios are gonna make it super annoying to track how many signatures a given key has performed. Needing a centralized usage counter pretty much kills scalability; and requires disaster recovery sites to have unique keys from the primary site.
>
> Granted, 2^64 is _a lot_, and if you're building a system that's gonna have anywhere near that amount of throughput, then you probably have bigger scalability issues to solve first. Most people will never be anywhere close to 2^64 signatures and are safe to completely ignore this security consideration.
>
>
>
> [Footnote1]: 
> https://github.com/open-quantum-safe/oqs-provider/blob/b159e4fe659e2d9
> e57a30435f9d8f5ab11533597/test/oqs_test_signatures.c#L41
> ---
> Mike Ounsworth
>
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> Sent: August 19, 2022 2:35 PM
> To: LAMPS <spasm@ietf.org>
> Subject: [EXTERNAL] [lamps] FYI: New Version Notification for 
> draft-housley-lamps-cms-sphincs-plus-00.txt
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
>
> ______________________________________________________________________
>
> A new version of I-D, draft-housley-lamps-cms-sphincs-plus-00.txt
> has been successfully submitted by Russ Housley and posted to the IETF repository.
>
> Name:           draft-housley-lamps-cms-sphincs-plus
> Revision:       00
> Title:          Use of the SPHINCS+ Signature Algorithm in the Cryptographic Message Syntax (CMS)
> Document date:  2022-08-19
> Group:          Individual Submission
> Pages:          11
> URL:            https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-housley-lamps-cms-sphincs-plus-00.txt__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAJ84GYsN$
> Status:         https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-housley-lamps-cms-sphincs-plus/__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAAqcmAJ0$
> Html:           https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-housley-lamps-cms-sphincs-plus-00.html__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAGRbuc3g$
> Htmlized:       https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-housley-lamps-cms-sphincs-plus__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0cyf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haAHRh0nHN$
>
>
> Abstract:
>  SPHINCS+ is a stateless hash-based signature scheme.  This document  
> specifies the conventions for using the SPHINCS+ stateless hash-based  
> signature algorithm with the Cryptographic Message Syntax (CMS).  In  
> addition, the algorithm identifier and public key syntax are  
> provided.
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spas
> m__;!!FJ-Y8qCqXTj2!aqZazqUu1skhae2xlUOrC2SFN3zLh0XQHO3U7OGsZsUEV1iZg0c
> yf4KxvEn2lIeKq3F6Lf_4BrQg-pRPz3haACt-2oqH$
> Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm