IETF Logo Mail Archive

[lamps] Key usages for composite keys

Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 09 February 2024 16:03 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 024DAC151082 for <spasm@ietfa.amsl.com>; Fri, 9 Feb 2024 08:03:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k341BFhaSagv for <spasm@ietfa.amsl.com>; Fri, 9 Feb 2024 08:03:01 -0800 (PST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2138.outbound.protection.outlook.com [40.107.223.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D078FC15107F for <spasm@ietf.org>; Fri, 9 Feb 2024 08:02:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OzpkbqHWQ+c9997+6B/Hs6mGesMKEhOBmqQjEl/o7sJzdaPwLC8skura7kjgG+COqRET/ccqCcYN0a+xRbD8S/+WgBj1JMl9bvPepT6yKPvTF6TZxDyKE+clIw/nLeCdwf/keeWJVHCwYjNIjtSANRcCn5vwp7AU56B7U6pd0KeyCo238OuOhdjYFsXlNzn/UjbVO0464PcxdVd2wNhbzQ7pyHXYtFzNLJhw8sKWMK4wmMC6XVdaIeFn2ch214yLp+BbBbiOMo3yWC/7o59m1YkcMb69UZ/MrGqNGX6+F04C5llDHZa7PLhwrSSmCfdTmHIhb1qHFoQoQDZsN/w52w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i+OFmAGlUoQwO8nmhgvNtZ7K6nZcWm8HesFs/a+mruM=; b=E98PvaHD9UVU/tuYwQAiOymzcnduhXhNqDZRTQbtLTyY2ngQh9kaSI5HbVT4gPHS2E9x6iqlc8TnbHBfr3ZEOpwLcgMhJHzV1jWDm4DTSOzBpVDLINdhgLjDLjYLvf/A2xgXR3CGZ8zy7gbfrYyeKhh3dYMLeyWTQXl8QVLn3mwzC1pDGzbvsSW7FyGhesoIlZVObSGR1DKrA/KezWeLweuuyD1tK93mULeQo0FSX5XnBnm564IqBt/EOu3Y6NRVSDhjQXLA/eYpCj9XrPIC3sGvjK6NGSecuVBiqIQfIDrOoBfv/1UeN8MWq2gK+YvC6t/fHxSUixYI8VVS2ZifZw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i+OFmAGlUoQwO8nmhgvNtZ7K6nZcWm8HesFs/a+mruM=; b=hIkCDagL0Je5d6XnPGQYIt9zudqYp7G3NzZLU/LrrFPzG8A5KGmEjm6ZLc7Ci+xXy+6xh1LCoDENfIT9A6Zg04TUdgOMTHSqpSHwnRGPm6LIDWGKD8TDvQKvd7gfg99nZsgm9wigqW3AYtsSUMm9FocInNsDLLiAE8mBIBSY7x67lUXDBRbWtz8y3a8jbRPOzauwIZ0gydsTyNiBExy5rBcUful8JF6fvGvk0ScpRfxvJtdHCBAkYKn0CSl4XP+q6HuF2/OuhPjm7RlVDpZA2J52KYKhc2DrgussJBMSDpV3+J7svdBH/h3njKrwZoOw+UjpQPscqsERsOQU8np45Q==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by PH7PR14MB5619.namprd14.prod.outlook.com (2603:10b6:510:1f4::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7270.27; Fri, 9 Feb 2024 16:02:33 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::7342:6ba1:7470:6412]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::7342:6ba1:7470:6412%5]) with mapi id 15.20.7270.025; Fri, 9 Feb 2024 16:02:33 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: SPASM <spasm@ietf.org>
Thread-Topic: Key usages for composite keys
Thread-Index: AdpbcJ9ixPZe3yxDQpO8MQzCksV6Ww==
Date: Fri, 09 Feb 2024 16:02:33 +0000
Message-ID: <SN7PR14MB64921DF3F880635EB6C544F2834B2@SN7PR14MB6492.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|PH7PR14MB5619:EE_
x-ms-office365-filtering-correlation-id: 2c21d308-aade-49c1-9c40-08dc298886ce
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UJ0tTKAJEJ837BCyLqsrhJM3v1TyteuxCBS526zaTT+tn/gnXdRKEjpSzet2fc47Xiz4LbfxeZQXfGS4ZsIILncp6wrZcxZlnbylVUW7Jq0oEwdHV/tl+WzdaGWlbJJVqf4gMpU4y4JDPzSVI0R5mhcNkyKsSfM9WAryjTn3xor7/bCJ6hZTju0NMtSXx/OmeYjs1ppu4ErSqchg3nkEuyHtCo4Ok6O+F3F0aCo4pU/duySAtdVbCpykmfpDWxwFehf/FArMouBU8sI90PNncA+AxJuIzhzE+nXZp0QtLmZVL+BvOKMmj4GgrStnR+kCVHCb96WRoYJEPquzH9hOSDkoL7cSvLzvkN6Ciw0c7hKMCOlmPlDN1ZL3t+VQtLw0aJpBunihfB3NEoRXfT1wqDnvrehq+adbNdNpL3zwN3vRlD9fAEmZYOn+5JdcE0njeLs5Q9v+lF2bpuz7D6PzlLwZDyzPbcwqOB6GEUUj6Hhl4aJou18XAlKrktlHxpgO81HojNh+017gBnyjSR9Ht53+OwYTwVRZSYkJRvhbft/9EIn0RbYO6BBCSIdoVSHun9csWTi/pELl/L8xrDBa3r8EV9srKLfbqOHC10Sog25oKI+6+jORhE4BPd3X9jNq
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR14MB6492.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(376002)(396003)(366004)(346002)(39860400002)(230922051799003)(451199024)(1800799012)(64100799003)(186009)(64756008)(316002)(99936003)(33656002)(122000001)(38100700002)(38070700009)(55016003)(41300700001)(26005)(9686003)(76116006)(2906002)(6916009)(71200400001)(66446008)(478600001)(66946007)(7696005)(6506007)(83380400001)(66556008)(86362001)(9326002)(5660300002)(66476007)(8676002)(8936002)(52536014)(44832011); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: G1AY2TirbMgEG/49lPAytEL73u94p0MOdRkqOZ1x+lPLU9XmoDcj5dkFNG/06Fcjo6x+3vXbeYS0SSLyOiWcnMdxQm0chipVulQofUHuwNrXRVoVanIYs9XhcKIh5uD4L/i6GRmPUXGMfWKrv52L4am6sy7QDDrL5YMVNZvl7DVxKEo5wCnqswa7VZONVPauPiFq+G3151YtimRBBhY9BAGIG4xlCkO3rfzjMasPhiIJ59RUdqBwxDVIfRQbvsCzuDxLB+h4HQewzexCkMisB7EzDblBCMeiPnQzBaLgDAFyviHXYQOY9CtRN0GkRgktqszX2R60iC1/4BKIg2I6o4v/MemEwa6tTpuL29JblQjYnxqWOanoH5LPWe/TWVmRqI4XGtHgDb7preoQlEsS+ltf50u9hTW/tcchWo+J+lq05t5SAkqGBCJs1VDKRoFkZp7LE7ejaXrw90aSRMdmKXrOB2csXAun+++QJvO49q5yiFtTpxo4P8xtV2VXD0O2PNT819P3Hk4pbO2HlvjmrYshOrViAhxaYiiFGRtzU4OjcyECKvGt8mKP17z+zhf9s/Qf/pIB1WNU5tlS6XpoqeSZZ9TwE2e97C6DVyMrBpdpN0+ztLmnjB//YTHhm71+avagb1vkUkBYpo/S1DWq8l06/YynNYvniW1GK5AWGvMoL29QcObOWC0uXZzbhpsO9CREnO60YeKOJayTXP+xCJkNbw8ouZxCfGkHAvGS3wd8qbf4uQL9vwAxm35w906hBwd4/qy+WN8yTdrfvdu7Jc+ETOPwYmRkOTcrXvP+7Y7SpKeBqIyqUsqJUAEERe1BwL5oypQyt9qksmB+/e/019jWPxVSoj/7liSVbu6yJU3ZU/OGEriT4ThGkXrhSFjm7StNJncQeixB53HGTAg33/F9kyGHup/CLhXNKNN4Uh8Fx52CXDgK0VYp/O5ZnIrDdX/dwvulw/iUMwXGIHblykyhGKtWY8D6ioCQkbGtbVy2UKrT+/+LswwgernH0MMv3k6NLzyGOej+juPyabPvalEWZ2ifRw2y09XgWKQZHquyXDAlis31vDksQWBwalDBr31DNOLj05EQTqo9HVeA63rl2zbsjFaJ7ecimy2fVQCYFViLm1cEvzZFCh8j5x0wIIKNh0FaCgncrXJiYNHv7JIJdXARpD205Xugpq9UmJad9pBPzAOc4DsHtwxA9S6gaCEdpjBrmz7f1YoiLrBERYjabkgRXHQV6O/0ZJUcJ2x7D2t8u4PTXijdnmn5qu7DtNfo2l8sDJoSgi0oWHYu2CMrNhA7X0WWDUlZuIb/tyup5VQbcONmbF7NgWPgQVKW129nz2MCkPbzhsMZz/eu6WDiJMhcvxpvaZn5Qtrn+TTJzai9ZDk7SNebysCy3jEaVGCo2srUta+KDzfA3ud6K6f0/4cz7uqLa4STijg/EcCCG3AVSEln3Q5eQ8kv8Ih8rttTv5dnh377pLDEkj+jklRuS/4I9jtE1Pq8t6RsDK0pfI9oxBVolCSx/4hL0KJLqLnK7MamR21r6YYe5Ae2UOBKEknX3FUDb4s67vJDM2roOaAYEzhnzxrnoC2fZ9y20cAPncDjmtiQgS0W3dg1QA==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0467_01DA5B47.7C5D5CF0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2c21d308-aade-49c1-9c40-08dc298886ce
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2024 16:02:33.3205 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LZaMl+NmMzPXfHyDmUIhnT500yYhosNgS4WsZ1407GzUT4sJ56hiPmGYxzTTQ+i4gutS/cr2blYy01Z6bj5qQoDljyoPMLdK1FEQBQMkGeU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR14MB5619
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/cEGb1pa0TrGwa2MoOQsDK6b_lRo>
Subject: [lamps] Key usages for composite keys
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2024 16:03:05 -0000

 

Hello,

 

This is a little off topic and possibly getting ahead of things a little
bit, but it came up in a discussion with our engineers so I thought I'd
float it here.

 

It's possible some of this might fit in somewhere in the composite signature
draft, and if the authors agree and can find an appropriate spot for it I'll
draft some text.

Otherwise maybe it goes in "PQC for Engineers" or one of the other PQUIP
drafts.

 

It's a pretty simple point, but it's not documented anywhere and it should
be:

 

RSA can be used for both signing and key encapsulation.

ML-DSA can be used for signing.

Composite<RSA, ML-DSA> can be used for . ?

 

It's pretty obvious that a composite key can only do what each individual
component key can do, so the key usage is at most the intersection of the
valid key usages of the component keys.

 

So the correct answer is "signing".

 

But this analysis and answer should be written down somewhere so everyone
doesn't keep having the same question, especially since some people might
come to the wrong answer.

 

-Tim

v2.36.0 | Report a Bug | By Email | System Status