IETF Logo Mail Archive

Re: [lamps] PQ-composite OR or K-of-N logic

Michael Richardson <mcr@sandelman.ca> Fri, 29 April 2022 15:50 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A08D3C15ED68 for <spasm@ietfa.amsl.com>; Fri, 29 Apr 2022 08:50:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v5Gx5p0BzNWc for <spasm@ietfa.amsl.com>; Fri, 29 Apr 2022 08:50:19 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DA2DC15ED5E for <spasm@ietf.org>; Fri, 29 Apr 2022 08:50:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 4EA1C39029; Fri, 29 Apr 2022 12:03:04 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Qj94zDW5Lvkw; Fri, 29 Apr 2022 12:03:02 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 80EF439017; Fri, 29 Apr 2022 12:03:02 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1651248182; bh=ZA/xlY/v8WR1fI6+ASOHFclEFYapJ3B8yOPp71BFgZA=; h=From:To:Subject:In-Reply-To:References:Date:From; b=qssxbgGmzborLfHkQWW2TM3cJIjkdBsGHUNdOId8B6AAWyC+M2If8xeiJCN9oB7WY DDyodI+MctjC6hFdV7v0b8oKvxV1a4R113jUzCuUtjX3OII1Y44eWroB1jt6Ytrt4o pof7njC95BaceLi+zJE6Igp5lp89eHcI/01L9GM7dTlIKaLUtA5ih0jyooY+9LpQfN UD3ODXoxUf9HU2WafWwpOMx2J+6immPtKmMjt22me7tU2rFHfEAA3wxMUARpqlwB4+ FHnLcTwKQveMKB3LLYoQ9H4irLqrKoulVcaQMuFIZX7332/qst7Ac8jOhT4iWFoG+p Z74zIA5X2WU4g==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id EAA3DE6; Fri, 29 Apr 2022 11:50:12 -0400 (EDT)
From: Michael Richardson <mcr@sandelman.ca>
To: "Kampanakis, Panos" <kpanos@amazon.com>, LAMPS <spasm@ietf.org>
In-Reply-To: <423419504256427b83c889f9b5c607b7@EX13D01ANC003.ant.amazon.com>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <29E39FB1-D8E5-40E9-AFC0-5A8EBBB705DF@vigilsec.com> <DM6PR11MB38025338B4FA3AED0AA99E3196F79@DM6PR11MB3802.namprd11.prod.outlook.com> <1312783.1650733573@dooku> <423419504256427b83c889f9b5c607b7@EX13D01ANC003.ant.amazon.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 29 Apr 2022 11:50:12 -0400
Message-ID: <13620.1651247412@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/bGD68G219C4QSv8AII_QMbXn3tU>
Subject: Re: [lamps] PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2022 15:50:23 -0000

Kampanakis, Panos <kpanos@amazon.com> wrote:
    > Both OR or AND are not backwards compatible. The new OID (regardless of
    > OR or AND logic) will not be understood by verifiers that have not been
    > upgraded. Not to mention that verifiers that don't understand composite
    > will not want to see the extra data which could slow down their
    > communications.

You are completely correct!  Verifiers will not understand the new OID until
they get an upgrade.  I'm making the argument that if the new OID provides
some functionality outside of the PQC transition, then the cost of the
upgrade will be distributed wider.

I'm also arguing that it would be nice to find the bugs (and vulnerabilities)
that might come with the new code before we need the new mechanisms for PQC.
To do that, we need it to be in widespread use.

    > The only way to avoid a flag day is to negotiate; if the verifier
    > understands the composite signature give it to it, otherwise just give
    > the classical.

So for TLS and IKEv2 and maybe email (if we can ever automate certificate
discovery inband to SMTP), then we can negotiate.
For data at rest, particularly for *certificates* we can't negotiate.

Fortunately, for certificates, there are some options, one of which is to
have a parallel certificate path.
Not legacy vs PQ, but rather, legacy vs OR-algorithm.
As was said elsewhere on this thread, some other formats have slots for
multiple signatures, so we can perhaps win there, but those multiple slots
also is probably an implicit OR mechanism anyway.

I think that there are some entities that might be pleased to have two legacy
signatures from two public CAs, where the expiry dates were staggered.
(I realize that the notAfter is not part of the signature, itself, but part
of the signature.   The certificate one up is where the dates could be
staggered)

v2.23.0 | Report a Bug | By Email