IETF Logo Mail Archive

Re: [lamps] Can ML-DSA be used in CMS?

Wai Choi <wchoi@us.ibm.com> Tue, 13 February 2024 16:37 UTC

Return-Path: <wchoi@us.ibm.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11FE7C14F6A5; Tue, 13 Feb 2024 08:37:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.006
X-Spam-Level:
X-Spam-Status: No, score=-7.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ibm.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ri-ZqQSJcAtr; Tue, 13 Feb 2024 08:37:33 -0800 (PST)
Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C714C14F5E0; Tue, 13 Feb 2024 08:37:33 -0800 (PST)
Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 41DFHtZ4030448; Tue, 13 Feb 2024 16:37:30 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=pp1; bh=JcyYxYAIKmijESJNUXKnnjD7FjP/h1MJrksC1t/WJ78=; b=sO4vISFPhcaw/HAsrm4AJGEZh/bfgWHDzE+vqnHOjeTRpk7GU9Eb18Ie2tCxQo0EN1PX UouknvIPpnj0Tbo6z2HKB2oonL5tFet1d7l8o6HmvqlNs4tqIK87/RTfiBEnU40ZBTDn mzWgGWqvXv+EGDHwcGajh3eWKpvBsvx13yQNTWCdOQYBsiR230agr7W9zT+DDjFsUfGp 9f96sS7OabgoWNRxKHSxI3PVOmifnBDsVai4bVThqCJjrLEFAvnh6a/uYPcJQAH8xzAB ZeSz/uT01l4bjYGQqe1eYfRGgZJ4DomWbGMW6tImmNpZFu/waVHNlXQp3D81kJnbCpMR OA==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2100.outbound.protection.outlook.com [104.47.70.100]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3w899r55xa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 13 Feb 2024 16:37:30 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DHaasEkIBPAyc5rqeFx0SObT+8nrYNFdfD5n0XFK667ACQfyHM9QaK+Hy3WlOelNF8jIPjoiTILY+0RYd0e54Q6y9odRgixQ19PXq7oBqkmsIR+C3bQxHuMhZM5kx6gHAKSH2La2oHvyRDDQFw5wAdBkfORUf5K5RwIpoMAv5CrhBBOvsRzpGoXJDyip5/rNOudWR3zP1bFyCc8fanLwBu9YeiLwgSt4YPtIxhHrPceHaBARkwGHflrcp5Q9KTrBfcyBfQvBI7+G459Ciy8vwNZsARjLsHtdVM7X5Vn0ydkFZV3zh41BsTUslEpGST/d/QYRRV6n8H6uQzrrbz2ktw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JcyYxYAIKmijESJNUXKnnjD7FjP/h1MJrksC1t/WJ78=; b=jVbShijOkz3cPxQWtulPCRPaEs5Llq2sYlnXSYoJMU97HPlI3auEX0Jzz2bNAXcH2LId/jNo/qapAtqQA2HBud7n0d6YZq1kNevozLb6OI1T3YlncpjqXfETZpDAePKwm18GOFUO7qY08s10C0k2X+WcWW8X4zq8Z0wcOaANiWMVuad87/Amypy0nJCZTd2ooxAqg+XKKw6NP6CPBiEcUyD8CKpci+NsB7V6e5FbS+N22RhgZWmrhGQ2YYJROGSXsamE8B4yzRxDXHeV8F1afMhU+oav+Hex6ZCYCqWeDbmKvAz7XdqSMXu7JxTGIwcR00oCrrNtHG9sptT/pZjdbA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=us.ibm.com; dmarc=pass action=none header.from=us.ibm.com; dkim=pass header.d=us.ibm.com; arc=none
Received: from MW3PR15MB4043.namprd15.prod.outlook.com (2603:10b6:303:48::24) by SN7PR15MB5681.namprd15.prod.outlook.com (2603:10b6:806:346::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7270.27; Tue, 13 Feb 2024 16:37:28 +0000
Received: from MW3PR15MB4043.namprd15.prod.outlook.com ([fe80::9214:66bf:f315:5187]) by MW3PR15MB4043.namprd15.prod.outlook.com ([fe80::9214:66bf:f315:5187%7]) with mapi id 15.20.7270.036; Tue, 13 Feb 2024 16:37:28 +0000
From: Wai Choi <wchoi@us.ibm.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>, "draft-ietf-lamps-dilithium-certificates@ietf.org" <draft-ietf-lamps-dilithium-certificates@ietf.org>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Can ML-DSA be used in CMS?
Thread-Index: AQHaXoG68KY5fu6IF0OWYmZRA1GO/rEIcqtw
Date: Tue, 13 Feb 2024 16:37:28 +0000
Message-ID: <MW3PR15MB40435121EE74210C1C0D518D814F2@MW3PR15MB4043.namprd15.prod.outlook.com>
References: <CH0PR11MB5739AF8408E1669FB9EF912A9F4F2@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739AF8408E1669FB9EF912A9F4F2@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW3PR15MB4043:EE_|SN7PR15MB5681:EE_
x-ms-office365-filtering-correlation-id: 73195c41-a9ee-4152-a5e2-08dc2cb21109
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AZFqBvAP57UFbk4wJpxMeso0l59g1whGYQmtYP1mhwYjqmhwtm0+63ED4Fn5zQtXt8XPnDWCL7vGDzPkUo6UOt9vv7wApigOBEwvCSTeP8REcvO+Gg8Sr0xLmjZ44PMrp+80EsuWTdOw6OKDDvxBXv+OiCne529Ck0ctf6du94k3oaYMf/BETFmf8bJpnwMqlE9zzhBdwe5wWlWO/o4f2ykaizS45EpaWJ1g1q0cPGUu0nkb1cLLwF8DT/J4XgcsxxZY+wrF7MwOGi1OrakbajrLOS7JaeoB1D0I5ap6dpftp4nahPwp70zPfWTegsAH7FSUXvfQLaI6SsH1ha/44DHSaIthoOM+XsIxcSCHUePCrc+sJ/ongpBCyaVMHIjMeSO0LbH5XYnmSsHL5LIvLKCroBmfJZuBIEtKucZfSPGPhs6eS5rgbYxhln5yQIlP86gjhkkMIvC2mMueO4P0dwkqLe67yLui5/GdYjZNdd8/iIlK/sSsanPaKPbJdbC0/0ZlTWD8M6nL9w0WMlxHyjyD6u84WsD286TQ0fPwtwUrKmN/p2ka9FUfHX7augct4rWdMg8vUw4VoAEtneN3QTuF/Jb3lxTG3qVDvQBMZ1AY8i+TOESnkaAppIi9eX5J
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR15MB4043.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(396003)(136003)(366004)(376002)(346002)(230922051799003)(451199024)(1800799012)(186009)(64100799003)(478600001)(9686003)(6506007)(53546011)(7696005)(55016003)(2906002)(4326008)(5660300002)(41300700001)(52536014)(66946007)(8936002)(66556008)(66476007)(66446008)(64756008)(76116006)(8676002)(316002)(33656002)(38100700002)(38070700009)(86362001)(83380400001)(122000001)(71200400001)(26005)(110136005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: i7BjPNNrMRSLdFPFIw3cR9pOpLhmWiPsLVlNLM6AtLryfpXIZsM3boo8Xiv9cBD1NSK7ROnTIBkD4kXZP3mkNzAI3lIPkMVALxa2svWnvYUgV4yQUW8rJ+TrkDFfOOMPuLJIOGOob4vr68ZqGb2T3MfcHrtsxgoX1qBxJOz+eOl/Jhm6ebcjDAqguU3p4FE2C1+v9nlawyffeV/Ji65Ev89p1MbT/uZK0BhSuCzxcMpmFL/cqGq8KIXM93beOOJYuvCTPkT1j4X9uuDzv1brW8j8ZzuTQQtvQ9UHdLkH3nFzwOhkDjcHhg2trpwsy85dl/g9n+h26oAvcJRwVB+VoabVOyq2bBXOIWhxXYIBiyvTZk9d9xZIIy1s5IJqP1JdcG4Bm2L6revGCRGbu51yOayYdagSA7gdE5xn3Q3skbwFSGX2Q2Badm/iRpW28E1jz7LurGEJPOW0CMomGN//NttPBqEkBbAZAN4SyZzYrwdgNE3ZiF+FLZKJAdUQ+Lbz/ayEmZ2ItsJokD0tgjZWN5ZFiskAkzpMwpc72M2ZDMH7ADbBp+/B8yOot7QPzEH+LDVixVyprR2uRdAKvDuu7s5jdXGD3NZl7KBYJaiwc96Nb78JThP+V4BoSmwnURTyj+M9dvlZhGlpChCI8jmSkvgerfjZIX/W0zjVe9KPrXP7gfotMSHjzkq6tVYhYPbyG1aVB8mTSx2sx/tTxV5clKClCVUFiPVIFwMk0NIT2eF25OaAvLwwm2BODN5Mqu1kSYRZcT34RnH+U1owYAXpq45P8pTkF6ozz/lqN++AINHLizJB9/H6sVIAFLAhS3DvRrF1+ma7JVXCkvHtm312XITEkC4gwVWvOVMYYDd3iIsHV3JE+0+w44mYT2hPyI5yz6p52GUk4Li2VglQZIEVK5iMjASiBPE09vyHlyA44Rrk6LbvaBJmuopdMivMCQh6mzUqwyt6yMxnmbC9nWPB6IDZXHETz5YDZAF+NJWM6/AicuYalZtbf/lBrqeaqW8WXU05S5/HeefABCRVBjZ6bX2YjNmHYPizzCsyTUNdzTv3rZL0RcT0VIScglO6mDZecyFoORhHJRQDiAaB02KzW7n3xltC6MszYgz1m5mhuaHu7silBGVdRxqpqgYobY5/K+7I5Y2UsuP5kQ5B+S2xlyodUfIk2xKSB5y2ODFiDvlGbsuQEbj84WrLognMaEAxt+2FLyIe/trK+bJhM3uDld0opedjFDpsLX6Pz51KEaMKoRBQAbzaEQBYQ7KZhHjwLb4+tBHxQlyUUnLEBsy2QNkBCyk0XoyexthmS3pCKL6bpzFoINz4gxk/DPIXuqaTTOi0YRUW+jvsNMUC15zGkg4btoSKC9Ao4ABPzM8CZlGn0Z/9h6Qeoc29WNO1pWydf+8smUpNCDPwmMqYOnRcdc1BFdmphjtyzvR30RUCR4jneOuOq3r6ny/4PQgKE9ZQG3vJIdJpKx+1Bw/acKiMHhc3c2dm60l4aH666daW+S8R/IJL87qv9UsoBkjnQVmWRviT77mtshHiD3XCMXIsj6aemvquyN1CkukdM308hxc=
Content-Type: multipart/alternative; boundary="_000_MW3PR15MB40435121EE74210C1C0D518D814F2MW3PR15MB4043namp_"
MIME-Version: 1.0
X-OriginatorOrg: us.ibm.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW3PR15MB4043.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 73195c41-a9ee-4152-a5e2-08dc2cb21109
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Feb 2024 16:37:28.1022 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fcf67057-50c9-4ad4-98f3-ffca64add9e9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NFz8ajLFmWdEyt2I779Sf1LF447nrG4DNBTLTS2P8wWLlG0ZwjxSUeK1p402FeJolyYsVUr1iGdIWe3W2mI2Kg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR15MB5681
X-Proofpoint-GUID: 18g4h2UDiYCQogI2KrVHF46VV7bo1eRb
X-Proofpoint-ORIG-GUID: 18g4h2UDiYCQogI2KrVHF46VV7bo1eRb
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-13_09,2024-02-12_03,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 spamscore=0 clxscore=1015 phishscore=0 malwarescore=0 suspectscore=0 impostorscore=0 adultscore=0 mlxscore=0 priorityscore=1501 mlxlogscore=460 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2402130131
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/cdelBORKSwVb6ejoVocpYymWKfc>
Subject: Re: [lamps] Can ML-DSA be used in CMS?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 16:37:35 -0000

Do we need a draft to address how to use Kyber in X.509 certificate? While having a certificate used for signing is common, one used for email encryption is not rare. Wonder why all the discussion focuses on signing only...



Other basic questions on PQ certificates:
1. Although it makes sense to have PQ algorithms on both Signature Algorithm and Public key Algorithm, is it a MUST requirement?



2. Does the whole chain of certificates need to use PQ algorithms?



Wai Choi



From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Sent: Tuesday, February 13, 2024 8:37 AM
To: draft-ietf-lamps-dilithium-certificates@ietf.org
Cc: 'LAMPS' <spasm@ietf.org>
Subject: [lamps] Can ML-DSA be used in CMS?



The answer obviously is Yes, but draft-ietf-lamps-dilithium-certificates does not actually say this.



I was reading a draft ICAO ePassport document yesterday that correctly points out that IETF has a draft for how to use ML-DSA into X.509 certificates, but no draft for how to use ML-DSA in CMS.



Authors of draft-ietf-lamps-dilithium-certificates, if you add a section "Signed-data Conventions" modelled after RFC8419, then I think that saves us from needing a whole second ML-DSA draft.



---
Mike Ounsworth
Software Security Architect, Entrust

v2.23.0 | Report a Bug | By Email