Re: [lamps] WG Action: Rechartered Limited Additional Mechanisms for PKIX and SMIME (lamps)
Ryan Sleevi <ryan-ietf@sleevi.com> Wed, 09 June 2021 16:04 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C9943A1CF2 for <spasm@ietfa.amsl.com>; Wed, 9 Jun 2021 09:04:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMjjRG22XLSr for <spasm@ietfa.amsl.com>; Wed, 9 Jun 2021 09:04:29 -0700 (PDT)
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C8203A1CE6 for <spasm@ietf.org>; Wed, 9 Jun 2021 09:04:29 -0700 (PDT)
Received: by mail-pl1-f181.google.com with SMTP id b12so6796396plg.11 for <spasm@ietf.org>; Wed, 09 Jun 2021 09:04:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/uKWnMoWEWAQb5cHJkgtU11gccVnUkzAmS1WTGpPbA4=; b=GrMKfm+Hl1oTe0wIIe9kIspKfR/CE1hIzxICBSR2fjsIF4gj6/vg/BjbdGke2Lt1No 5L3dTj1UJe3U23Jl8TGxyBxTT5fmVMtfDC2e3vcqjKuhf93+nwgZfuH5zttXlrSyotaZ Cd+sKxISu7h25Mc1KWmsDBsYOmfVa7lz9lTSXa/93cozGPVnL8Ep43fdlAawqrwIXjl8 3wGAkvK4DL97UX3morjX5EZV3x83iyW8nwzoTcTlKIWZ+XhzZvJuALW5Aiep2HLs8Wt0 2KOaYz/iTBgrjazpTq7UONqutzlnmLUiWG1GEB6IF6WVT0uG023ZvKArsyZ5sKWEVAL0 2vIQ==
X-Gm-Message-State: AOAM530FjQGbXAf6mJ2WmoM4wed759Zq82sVZUXhCV/ek3/FkG5jkvEN xIdKXYJdMzqUvySMYrlAgtP8JzPPE3E=
X-Google-Smtp-Source: ABdhPJx6txVJyAajAYRmrUM/gnU0ncEsnN/rH4sDXGZpOcm/Q2WIh0KBKT+Itnq94cxnCLyO9DDY3Q==
X-Received: by 2002:a17:90a:80c5:: with SMTP id k5mr11476843pjw.129.1623254668737; Wed, 09 Jun 2021 09:04:28 -0700 (PDT)
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com. [209.85.210.177]) by smtp.gmail.com with ESMTPSA id g11sm227424pgh.24.2021.06.09.09.04.28 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 09 Jun 2021 09:04:28 -0700 (PDT)
Received: by mail-pf1-f177.google.com with SMTP id d16so18698512pfn.12 for <spasm@ietf.org>; Wed, 09 Jun 2021 09:04:28 -0700 (PDT)
X-Received: by 2002:aa7:921a:0:b029:2cf:b55b:9d52 with SMTP id 26-20020aa7921a0000b02902cfb55b9d52mr484005pfo.35.1623254668136; Wed, 09 Jun 2021 09:04:28 -0700 (PDT)
MIME-Version: 1.0
References: <162197839888.7001.14038013572109016245@ietfa.amsl.com> <em1cc0ae3e-147b-4e9b-a7e1-ea78e82c1a7d@desktop-8g465ua> <CH0PR11MB5739DCEDF80918186DF5F5729F379@CH0PR11MB5739.namprd11.prod.outlook.com> <3633b97a-f70c-6b33-ea53-ff9cff4b5e10@iaik.tugraz.at>
In-Reply-To: <3633b97a-f70c-6b33-ea53-ff9cff4b5e10@iaik.tugraz.at>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 09 Jun 2021 12:04:17 -0400
X-Gmail-Original-Message-ID: <CAErg=HEvGzYm49Yp1Nonu88s26ZVqfmP4Aaj7E91qfSiqynfZQ@mail.gmail.com>
Message-ID: <CAErg=HEvGzYm49Yp1Nonu88s26ZVqfmP4Aaj7E91qfSiqynfZQ@mail.gmail.com>
To: Dieter Bratko <Dieter.Bratko@iaik.tugraz.at>
Cc: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Ludovic Perret <ludovic.perret@cryptonext-security.com>, "spasm@ietf.org" <spasm@ietf.org>, Simon Guggi <simon.guggi@iaik.tugraz.at>, Franco Nieddu <franco.nieddu@iaik.tugraz.at>
Content-Type: multipart/alternative; boundary="000000000000dfd5dd05c4576d50"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/en3hdmnk_045XxV2bMi1HfIgLYA>
Subject: Re: [lamps] WG Action: Rechartered Limited Additional Mechanisms for PKIX and SMIME (lamps)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2021 16:04:34 -0000
On Wed, Jun 9, 2021 at 5:52 AM Dieter Bratko <Dieter.Bratko@iaik.tugraz.at> wrote: > Hello, > > > As for defining algorithmID OIDs, parameters, etc for Sphincs+, Falcon, > > Dilithium, Kyber, etc, I haven't seen any drafts yet. > > A while ago Scott Fluhrer has posted a hint to an industry draft ( > https://docs.google.com/document/d/19XfdzkVdHS69rqin-XV72Cn2FjrpEbiyERg7F1lKIVs/edit?usp=sharing) > on this list, and we wanted to suggest an alternative apporach: > > The industry draft specifies one algorithm id for each parameter set. > These ids are used as key and signature/kem algorithm ids, too. Taking the > Dilithium signature algorithm as example the draft specifies three ids > (with the algorithm name as optional parameter): > > dilithium-4x4-r3 (1.3.6.1.4.1.2.267.7.4.4) for the security-level 2 > parameter set, > dilithium-6x5-r3 (1.3.6.1.4.1.2.267.7.6.5) for the security-level 3 > parameter set, and > dilithium-8x7-r3 (1.3.6.1.4.1.2.267.7.8.7) for the security-level 5 > parameter set, > > each of them used as key and signature algorihtm id, too. > > If there is no absolute requirement to bound the parameter set to the > signature/kem algorithm, too, we would like to propose an alternative > approach for defining the algorithm/parameter ids. > This is actually something that came up in past discussions as feedback from multiple cryptographic library implementers. In general, the use of parameters in AlgorithmIdentifiers creates a lot of complexity throughout the system - from CAs issuing certificates (with the correct parameters, and making sure the parameters make logical sense) to RPs verifying certificates (which may only support a subset of parameters), to applications using libraries trying to figure out "Is X supported" The experience of running code is very much in favor of the explicit "use the algorithm ID to express your parameters", which is more or less an expression of the concepts captured at https://datatracker.ietf.org/doc/html/draft-iab-protocol-maintenance (now abandoned?) or the lessons from other protocols (RFC 8701, https://datatracker.ietf.org/doc/html/draft-nottingham-http-grease-01 , https://datatracker.ietf.org/doc/html/draft-bishop-httpbis-grease-00 ... you get the idea :D) This is also roughly similar to the approach taken in TLS 1.3, which collapsed the (independent) SignatureAndHashAlgorithm ( https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1 ) into a single logical unit ( https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3 ), to ensure no untoward combinations/permutations. I wanted to provide that context for why "OID with no params" is generally prefered, in terms of security, complexity, and interoperability. Even though ASN.1 technically affords the necessity, having well-scoped definitions avoid ambiguities, or, worse, issues like ChainOfFools/Curveball ( https://blog.lessonslearned.org/chain-of-fools/ )
- [lamps] WG Action: Rechartered Limited Additional… The IESG
- Re: [lamps] WG Action: Rechartered Limited Additi… Ludovic Perret
- Re: [lamps] WG Action: Rechartered Limited Additi… Mike Ounsworth
- Re: [lamps] WG Action: Rechartered Limited Additi… Dieter Bratko
- Re: [lamps] WG Action: Rechartered Limited Additi… Ryan Sleevi