IETF Logo Mail Archive

Re: [lamps] Proposed recharter text

Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 18 February 2021 17:08 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C11583A147D for <spasm@ietfa.amsl.com>; Thu, 18 Feb 2021 09:08:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C4v6ChK7Mx1s for <spasm@ietfa.amsl.com>; Thu, 18 Feb 2021 09:08:31 -0800 (PST)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2128.outbound.protection.outlook.com [40.107.243.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88C533A1488 for <spasm@ietf.org>; Thu, 18 Feb 2021 09:08:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z4XilPfkqIcRijiSUDDPjFFMGfoBMCgNXnbepyYQnNV2Co1XMgC00uWjcaELovJihw3qFSNlqfvwjQVVpEsJbzULk8/RIwM5yNfFiKXIGFKhWJjj+KsZSFcsrFPLBSBJZzOpLHgy8rHb3QRMYc8mKJ76jxblrb9ehg1ACmcALm1vhB6AHsLPHNRZSCNQDf1gfI4iLcFYhDf1c+GpxBT1nn9TS85f4BgNT4v27u/QXdFxGoQ5GK9yp1D8uNyF08n/0o/rWFzqibBJCp8/ovL5IFRQMN0FXzPQpxHSP5hCryHonnsTWOoJhVPErQeGmhyj/fxN9SI0APY3WR4F5etrkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VxroyzBZkv9ZLyCTSTA1Wa+ef8mVuKcGEaBjrBJhNOA=; b=csyUPsUFy8e1LQ8NA7HSuO/mZGR8NmkhmYUIJaBz2tpKgE9FeUZxiqhRpu6iKjWb8zZzQNAInnV3Ba2ciCTHYfT/WP1/ro81ds3DO7EcJOOc8sSqQ5HrVFJbaEQc/ACkJ8eNxm61Edzb4EfsrYtqCJtC1OCiAAaE3d4BtvBowy0XfbbRr197WmQqwhNknEbc57QC8PXzFuf1NAla1iutU7Z8Z/TWrs5Lo03+jg9krVbiWXvmBy1uGUeOWhrNJBVfk2KWc67kAMljC9BX7GGIj2mMJ4LfsaXUWTHUC51bqHqnFddDxcGu55FBwUbCQQXacihi/MEw+g1BHH41XN8IuA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VxroyzBZkv9ZLyCTSTA1Wa+ef8mVuKcGEaBjrBJhNOA=; b=JpcwHbb/L/ccdoL3v2lWK2iZfBHOZQwdjjQ8kKnX4XP/t1SxX/ozpJGTCh+nkjdK2yUbNp/e65qe6DHD6geNQMRIboU/vwCN5unbzAFSXGLfaRlAo4Bf2ld3Qam0S1McR/5Qdf6vVu8eVK7RF2R69T8fq2yf5JLAQ48YlKurE9TdUAtn1OHZCfQ5lGT8+Y0xGF5Fg5ixAngBH5McAZCX1sppx77MoD73joJHPn3GFdgOqB48TrV6qtnpbITS5X5OMjf0N7SrR2RSxjsHoEi0DZd9/sBBUvKmEQHEefd6AXceqrYD7IELOzg9HZaGOkjFu+kday9qgywWjgi6J4zt6w==
Received: from DM6PR11MB4380.namprd11.prod.outlook.com (2603:10b6:5:14e::20) by DM5PR1101MB2155.namprd11.prod.outlook.com (2603:10b6:4:5b::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.31; Thu, 18 Feb 2021 17:08:26 +0000
Received: from DM6PR11MB4380.namprd11.prod.outlook.com ([fe80::a500:2ae3:a6c4:bc13]) by DM6PR11MB4380.namprd11.prod.outlook.com ([fe80::a500:2ae3:a6c4:bc13%4]) with mapi id 15.20.3846.043; Thu, 18 Feb 2021 17:08:26 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "Panos Kampanakis (pkampana)" <pkampana=40cisco.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] Proposed recharter text
Thread-Index: AQHXBhcfQqwAT6u3TkKv6fJnzHO7BapeJIWw
Date: Thu, 18 Feb 2021 17:08:25 +0000
Message-ID: <DM6PR11MB438056FCFE2425D7281BC9989F859@DM6PR11MB4380.namprd11.prod.outlook.com>
References: <DM6PR11MB43808FA7D74229A5997965649FBA9@DM6PR11MB4380.namprd11.prod.outlook.com> <9D01B155-6BB8-4438-8FAA-149686B69B64@vigilsec.com> <BN7PR11MB254762EDB050588E65B423B2C9869@BN7PR11MB2547.namprd11.prod.outlook.com> <038A4AA3-96A5-4827-BEEB-12B58F49102B@vigilsec.com> <BN7PR11MB2547FC17A10948A912FEF6B8C9859@BN7PR11MB2547.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB2547FC17A10948A912FEF6B8C9859@BN7PR11MB2547.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none; dmarc.ietf.org; dmarc=none action=none header.from=entrust.com;
x-originating-ip: [143.131.4.107]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 78526134-c395-4042-a255-08d8d42fce33
x-ms-traffictypediagnostic: DM5PR1101MB2155:
x-microsoft-antispam-prvs: <DM5PR1101MB215533E9F8FAFA47972071F89F859@DM5PR1101MB2155.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: un3/DMsQGwMXPh9OWEAtO9zTp3inH9fatJD/UtLm13FIzFO/DImRlRULQo9orBpf1NlDiJzd+khm1DEPMs1Rt8W036CYyIo2ju7xmA3oQ9g2Ngi/W/1Jy4cWqYlPyyoLYwKML0c6RA9UTF3dtccx7Err9aurwLVQwcilkrEdpv0KC+4+mc4mwUkHYupl/IT0nh/SndMFlndUo41yZoIlFp3nQYeAlG679Khpya0g8W90V9C0qhS25uDlMJkJeGfeU0UxWWXgsAzumwEBkqEgAtP02WP//DuEsgV33DiNLSB0UbPa+oDU4P6VtksXfR3AjNEnrWnMPhl0wIfKXdsU3Y3wlbS4Lo6c/zYYtbTFwCLqx5pwwd8LWk/89c3tTURTwBn2ApTLbeEjc7k8WIqkNdDOWELSo5cbjR3oNZYlATMvbc5uyDI6MR+oTR0EgpWIP/fr9dIdk5smhigFapZJPfGhR5KYgx0NyhbYOOZMp65KwTemJ93U6lx1V5Vk1rIqQQJh5lMfNWFoNfqz/KL2y9T/Fkna2TJT2Ghh0Bfcjwm1FeCa0kpHNkXgO0O1Gv/sjYCJlzO1M8/t2INaom301jznxMuAfnJuimzygn2LXcQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB4380.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(396003)(39860400002)(136003)(376002)(9686003)(66556008)(66446008)(66476007)(66946007)(64756008)(86362001)(8676002)(33656002)(55016002)(966005)(110136005)(76116006)(7696005)(5660300002)(83380400001)(71200400001)(53546011)(186003)(6506007)(26005)(66574015)(52536014)(478600001)(316002)(8936002)(2906002)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: jCl+Jk+wtILTY0SHSCFt1iHuAhHKTSEmdoERMJYpULlbaCcK3tum4IYKXw0s06CN3RR+GRPEmvpDbh2DDtlTlhv55rLdiF4bqA1yTk75r2+AwCA4aWEGkU3GVFDNf22nOjRSJHj8mkQsv3nwA/HuBRDb6/Mvmp6gTeomhpAGdHZNXVDxlYKEzbPPr68VwNtqpYYWNJ9bhGA60zwqnyi5d/wlrWgp8l0kmhsQywvvRlWU3V8ZNX2GHAp4Zn+ptpKOMsmIjqti+ZBbxlYxAIhiWFCiyVCZ4HsauppYKDUs9HO/pLdY4w+RPuSc9Gv9RN+eS2Okw3WhpoCXQqLF4uToQc8X7n62I0FIRdS3/XY26UzRYXOKPqfpChn4h5bOrVYiWpokqVtg6RnroUT1ZKsSNTnyu0OmTt1FE3/YIYxoU5IftLw9UJPQitL0Lm/GZyI/UiAaXFh5Q4Bqh2Pmdx/Sszl+FDDDkWdKislmY90V1Dzbgj8+v5RrbaePILsgE5tn6JwrSct0XpJpdCC/XI9kWqx8cGelFUseNLVZOOH0BzbHAXxlvWGzKLwCCYSw4+bcOr+yrnHGTp9qsd3wzLCuV1H0JYY850gRZgG95va4xZ4fQLv0zJqk5IYyKLKptkz3BAUUDp/rpCY2qR+vRI/2tIkEaEadhYRM+D/8eCnJFmuevxDbnJgV0abLBEJNFoCYFUhi7VdA1YsuObSIaGYENFrcZeVg9A1S9U/HItS7D5RmYEbDBls3uuCi7XpPyWD7jCdQj8oO/FI+0Er0+UmOFYDABzmJto6xUskuqLEGuDujGq5MD1qwvTMgT0MutLvylHgG90fBS3XIC5b20BPl5sYBGbH6XuDbKUPRnmyfcVPuubA18qOzbZYNKX0CRN+lP9tit03bZx9TZtiMOcLR+GAEGxa8noO+o95Ml5URac0vDyialJFL+PCAdoLB8zqNY7HaDUUbQB6XdAzZ0F9sfPjyLMv8ONqmtD9i2WGxxVYvuLbAkM/0O5BnixN5e6LxqdGP3bgceKu51GACmgZ83RMgjgB3F1jR0K7Lq+FXpiEXnP4MtR9oPPE0K+uIkrGQ0Dx8fVrtXIMIB5BJqY8I5YdyL/v4AxlNqvlx4LFE1tzC/TDV9xQgfx7eMDRzs7E8eYRmUwaiHojU4xT2KOcOxrSfEaYhofmQkLIdYdAIYZZRNo5DgLM4Tr3UpVTVrMNTlX5irpUAXS3c/Rjp0jnCGCnm2NkC7g01C4g41Zv8wvzSCNxYjEdK4vekA2fb3OpRf0hanTow0LBPQCO1fSYAYwrhP1++E+01C/vewEjbuLXlXBOSmZvL9QIFQOxf5m67
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4380.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 78526134-c395-4042-a255-08d8d42fce33
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2021 17:08:25.7439 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SCuDad5Y2MSyAHhXDQ1k2pP1Q+hnTtZJIFJ9Oxunjpa5J50e6muLMOYtbAgCHg4w5WIp8TfNSNz+ZH6dLJxDoVX2hBohzXTFUsgIR3AeC2o=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1101MB2155
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/SWWlJbxFYXC9ocFdqfRa9X_8ik0>
Subject: Re: [lamps] Proposed recharter text
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2021 17:08:34 -0000

Hey Panos,

I started another chain off this thread about KEMTLS. Since it doesn't even have an I-D yet, I agree that it's waaaay premature to start chartering LAMPS for it.

I read 5a as "Assign PKIX OIDs to the stuff that falls out of the NIST competition" and nothing more. Is that the correct interpretation Russ?

---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Panos Kampanakis (pkampana)
Sent: February 18, 2021 10:55 AM
To: Russ Housley <housley@vigilsec.com>
Cc: LAMPS <spasm@ietf.org>
Subject: [EXTERNAL] Re: [lamps] Proposed recharter text

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
Sorry to be pedantic Russ. 

If 5a was trying to introduce KEMs for content encryption in CMS, then I am all for that.  My objection was for using KEMs for singing. I am not sure we will end up needing to use KEMs for PKIX or CMS signing yet. Especially for PKIX, I expect this to be discussed in the TLS WG. What I am trying to avoid here is embarking on a KEMTLS journey (which will be long if it happens) with the argument being that it is already included in the LAMPS charter. 




-----Original Message-----
From: Russ Housley <housley@vigilsec.com>
Sent: Wednesday, February 17, 2021 8:49 AM
To: Panos Kampanakis (pkampana) <pkampana@cisco.com>
Cc: LAMPS <spasm@ietf.org>
Subject: Re: [lamps] Proposed recharter text

Panos:

I agree that 5a ought to wait for the NIST completion to complete.  I'll add that to the text...

a. After the NIST Post-Quantum Cryptography (PQC) effort produces one or more quantum-resistant public-key cryptographic algorithm standards, the LAMPS WG will specify the use of PQC public key algorithms with the PKIX certificates and the Cryptographic Message Syntax (CMS).

Russ

> On Feb 16, 2021, at 11:01 PM, Panos Kampanakis (pkampana)
<pkampana=40cisco.com@dmarc.ietf.org> wrote:
> 
> I don't think 5a should be added in the LAMPS charter at this time. 
> It is too early. And besides, draft-ietf-tls-semistatic-dh does the 
> same thing with classical (EC)DH keys in the leaf cert and it is 
> worked in the TLS WG.
> 
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> Sent: Wednesday, February 10, 2021 3:22 PM
> To: LAMPS <spasm@ietf.org>
> Subject: [lamps] Proposed recharter text
> 
> I propose the attached recharter text.
> 
> Tasks 1-3 are unchanged from the current charter,
> 
> Task 4 is a slightly edited version of the text proposed by DKG after 
> IETF 109.
> 
> Task 5 is the text that came out of the discussion that followed the 
> virtual interim at the end of last month.
> 
> Task 6 was raised in the discussion that followed the virtual interim 
> at the end of last month.  In my view, it is too early to work on 
> advancement of RFC 8550 and RFC 8551, but putting it in the charter 
> now will allow us to tackle them when they are well deployed.
> 
> Russ
> 
> = = = = = = = =
> 
> The PKIX and S/MIME Working Groups have been closed for some time. 
> Some updates have been proposed to the X.509 certificate documents 
> produced by the PKIX Working Group and the electronic mail security 
> documents produced by the S/MIME Working Group.
> 
> The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working 
> Group is chartered to make updates where there is a known constituency 
> interested in real deployment and there is at least one sufficiently 
> well specified approach to the update so that the working group can 
> sensibly evaluate whether to adopt a proposal.
> 
> The LAMPS WG is now tackling these topics:
> 
> 1. Specify the use of short-lived X.509 certificates for which no 
> revocation information is made available by the Certification Authority.
> Short-lived certificates have a lifespan that is shorter than the time 
> needed to detect, report, and distribute revocation information.  As a 
> result, revoking short-lived certificates is unnecessary and pointless.
> 
> 2. Update the specification for the cryptographic protection of email 
> headers -- both for signatures and encryption -- to improve the 
> implementation situation with respect to privacy, security, usability 
> and interoperability in cryptographically-protected electronic mail.
> Most current implementations of cryptographically-protected electronic 
> mail protect only the body of the message, which leaves significant 
> room for attacks against otherwise-protected messages.
> 
> 3. The Certificate Management Protocol (CMP) is specified in RFC 4210, 
> and it offers a vast range of certificate management options.  CMP is 
> currently being used in many different industrial environments, but it 
> needs to be tailored to the specific needs of such machine-to-machine 
> scenarios and communication among PKI management entities.  The LAMPS 
> WG will develop a "lightweight" profile of CMP to more efficiently 
> support of these environments and better facilitate interoperable 
> implementation, while preserving cryptographic algorithm agility.  In 
> addition, necessary updates and clarifications to CMP will be 
> specified in a separate document.  This work will be coordinated with 
> the
LWIG WG.
> 
> 4. Provide concrete guidance for implementers of email user agents to 
> promote interoperability of end-to-end cryptographic protection of 
> email messages.  This may include guidance about the generation, 
> interpretation, and handling of protected messages; management of the 
> relevant certificates; documentation of how to avoid common failure 
> modes; strategies for deployment in a mixed environment; as well as 
> test vectors and examples that can be used by implementers and 
> interoperability testing.  The resulting robust consensus among email 
> user agent implementers is expected to provide more usable and useful
cryptographic security for email users.
> 
> 5. Recent progress in the development of quantum computers pose a 
> threat to widely deployed public key algorithms.  As a result, there 
> is a need to prepare for a day when cryptosystems such as RSA, 
> Diffie-Hellman, ECDSA, ECDH, and EdDSA cannot be depended upon.  As a 
> result, there are efforts to develop standards for post-quantum 
> cryptosystem (PQC) algorithms that that will be secure if large-scale
quantum computers are ever developed.
> 
> a. Specify the use of PQC public key algorithms with the PKIX 
> certificates and the Cryptographic Message Syntax (CMS).
> 
> b. Develop specifications to facilitate a lengthy transition from 
> today's public key algorithms to PQC public key algorithms.  Unlike 
> previous algorithm transitions, time will be needed before there is 
> full confidence in the PQC public key algorithms.  Therefore, 
> transition mechanisms that combine traditional algorithms with PQC 
> algorithms will be needed for "hybrid key establishment" and "dual 
> signatures".  NIST defines "hybrid key establishment" as any key 
> establishment scheme that is a combination of two or more components 
> that are themselves cryptographic key-establishment schemes.  NIST 
> defines "dual signatures" as any signature scheme that consists of two 
> or more signatures on a common message.  The specifications developed 
> will enable PKIX and S/MIME protocols to support hybrid key 
> establishment
and dual signature mechanisms.
> 
> 6. Progress RFC 5280, RFC 6960, RFC 8550, and RFC 8551 to Internet 
> Standard status.
> 
> In addition, the LAMPS WG may investigate other updates to documents 
> produced by the PKIX and S/MIME WG. The LAMPS WG may produce 
> clarifications where needed, but the LAMPS WG shall not adopt anything 
> beyond clarifications without rechartering.
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email