Re: [lamps] Hybrid pkix isn't needed
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 30 January 2023 22:20 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0902C17CEA4 for <spasm@ietfa.amsl.com>; Mon, 30 Jan 2023 14:20:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sLld7iapZJVU for <spasm@ietfa.amsl.com>; Mon, 30 Jan 2023 14:20:53 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on2115.outbound.protection.outlook.com [40.107.6.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9009BC17CE80 for <spasm@ietf.org>; Mon, 30 Jan 2023 14:20:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XuaPxo/oMiigYdBYAkBlAlc3n50B64349K46OMZUKC1ZSV1d+a+Rp287b+PLFJE5NW294ej0/oOOR6nIAChKmFcLvDgR70S/wKZpYRmXdcRVtSA149AEqykq4ZUl3bXlPiVPGLjSaVh74dzm+DctVC6oLrIjylcXCkz2k1PFgrVLSfa1uYAHl8/cgh2auM1gI2TdFifLsoDVHm9E1DwURzUuwerclkIOoC+7tAXdVC5c4yqBqTC3RD72G1TDRRwFf26TxTrbHjYAoLlSeDYWE79dt85fI/KXvHPtQarJUyE9ODkAtMUVa7osiXKypwNTMZwOpt9SAg76jTDFRVNDhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZOAGpU2wi+FLzOpIrotEPhKKoYrUwkquVxwfmk3bHcc=; b=FddMHEeA1R0AowjmYH5lQCOUGjv69irFmcFX3yDr683WZXn7aBHUTAMEsn4RlgbMeqtwaP759q69+gfSZ+lCL11M909kbV19LZDeoCig/esqMrZ0kTPGgXJrUtjwBEq8aFyV46dHADthG3iUHeYB9UD8EtSAQhdMwtzid4kHGN/x7TPYdg7JXkf+OiWbT7jYhAvWfGItJjQHvXHV0yNAoPSFcvxNrJXQjHWeFjfZZI1YEwTdLYSH8J1IIeyjKNfMjSK6wihQuakE49yEV5PK3wavs5xvz9fOFh2OgibZAOhMjXTYUvJqeAEsYav1rH82xKZPs/3IiVS3UlFShA7xnA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZOAGpU2wi+FLzOpIrotEPhKKoYrUwkquVxwfmk3bHcc=; b=CiXKCnvVsfnbobGp8qV0JG+RK0nCYujz+Ntl3VYGx/ltP8FlMiEnAx3J7M5dZu3WCHetaysiIH5IchtGBcq4XZHMuq/5hLsZEhw8GVRWCQ6H2HjEyNFQ93c7KLnV4BLbYkwQ5H3lWr9vePuYoMVp9IYpthev57Yyc/pPbaM9NxSnpqAdvgYIz87jVwjJMkuF9PDbEzHoMs1jpAjNJoHzRe20x0M0MeASb77/GIUDl3Eqh+7ASX2nfQlWmhxC6/c2cp9UsZGl2EImtlC0YNbX6WBA5s1Xb9KehKeDXO15vHtZBKbihFFinTV1nPgkqugdeco++fWFnOJIjKjeILoqbA==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by PA4PR02MB6655.eurprd02.prod.outlook.com (2603:10a6:102:d5::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.28; Mon, 30 Jan 2023 22:20:49 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::47ff:ce7d:4074:b349]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::47ff:ce7d:4074:b349%7]) with mapi id 15.20.6043.036; Mon, 30 Jan 2023 22:20:49 +0000
Message-ID: <45bf365a-540d-74cf-2e18-087575719eff@cs.tcd.ie>
Date: Mon, 30 Jan 2023 22:20:48 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Michael Markowitz <markowitz=40infoseccorp.com@dmarc.ietf.org>, Watson Ladd <watsonbladd@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
References: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com> <DS7PR12MB5983E36300151BFC47E5CB34AAD39@DS7PR12MB5983.namprd12.prod.outlook.com> <CH0PR11MB57392033396F181A9853FAD79FD39@CH0PR11MB5739.namprd11.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <CH0PR11MB57392033396F181A9853FAD79FD39@CH0PR11MB5739.namprd11.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------KAH0xDgwEG7QgYgsxrdDi7la"
X-ClientProxiedBy: DU2PR04CA0075.eurprd04.prod.outlook.com (2603:10a6:10:232::20) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|PA4PR02MB6655:EE_
X-MS-Office365-Filtering-Correlation-Id: ea536372-7a94-4dbb-1008-08db03103da8
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ocXRyNQ53E+zclXQLgFS3POvxKLgOVykTQOxkDyhIEbuFghsAvtIGT3AaQwaBDewDLVJ+g5ff5re1v19JBGUIah/vwtqLpiu1ylJ3W6yOWeumf3+9IjdqM76gBl1ujAF1XgOK84QhTaLNYwMNPfLFZ19k7CL6AtPUKrTEKqEJeZD5MAQ4h/NAdszlNSkQk6S+hQQBzKaaj08HcXc6LELMtmZdfaxs5zJ2+LoFEc5Aj1dng5UsgcauQ1slGTUlHE7YJz2FVB7cP4DecZjfZhruJgXT/xbkU20ryhWbogfqcm1qUHhU5DQguNhtm5nuYg0owAOQYo/dmhzbyScvlL2pyiGkin/hk2PKX5sSvuDNDFUWkdNUWMmqk51qSDWE5YSKLX5yZpKtmoy3MbIRTfxOyTxcWUVU9Xw2NqCEVAOdQPOL+uhmRbnApcmI2+coWa9d3gNj1sc8LffcfbAFN5b+/shM5sCp6aCeZ7FKhGb7aMqzJebsnIePYr7A2iSzxUHlk+HEGB4Bpnp9mE7S1wiotTmMAoveEtRAg/PSnATOCmQfS/gb6+Hm4CaqRszL3zZvZ3+ciM44fx5QK/9nubKXS811e4gEUhrLWRfuoNBshpXXc9SuLQ+eOqwol4m7GDuhx1IST5/mwwFs79cLXb5TVNOBi5qLp38XvgYPXomGPfJeNnXOpXmOfLgdjH53+kOVGYrr7S1s/AHb9iwtYwvJi5zlb3vMEp1IVjtRMomjvs=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(346002)(376002)(39860400002)(396003)(366004)(136003)(451199018)(41320700001)(31686004)(6486002)(44832011)(83380400001)(2906002)(36756003)(110136005)(45080400002)(186003)(26005)(6512007)(21480400003)(53546011)(6506007)(478600001)(66946007)(235185007)(2616005)(33964004)(31696002)(5660300002)(38100700002)(8936002)(66476007)(8676002)(316002)(41300700001)(66556008)(86362001)(786003)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: pNnlRD4XHJXLIQC7XHlPMswHG8Wq8VTKYQdbKsduKdI7KYvPGENhspWEgd75VYWhQHqN2xTvaPixNNrgFZkq7zhAmUMJ8ZLEZX6sbZKwkkTdSVvY9TIxAhDDvIvSzZFCrrXRqgQFeClo/xGXB6gY5mbM/chKTxiqFfYPH2Vu0fd9JHshbxBcdt3Bnd76mg+uVCMUvxsHdEc/z4uoR3LHdjDz1AI3BJOlaYYQt3K663/7hBtasjpUbRT/taaWGaWAf5zVShKL+U31d0PDNtLoGa0c1Yyb2IHpLa/EArmQLrq/roAU1TolJqHgC+kRhtTUMqYKLlYkSOsi2AoLum0OmmPmBiG0qgqOVx8h0H7dGKl/tWYBbr+2sIoTNrg8Ztt5+f1aEVA7ZPkV1D+1lWUWYdQ489PFvvHLUWAhDIGZWeuOVxvabxzFz0SSmIpxH3aFQ/O60PKhOV6sYa5hkEwjJ/ZzxOJ0DaIviJmAmm456X053bzyxhrs1XTcSsiCnOvFNqcTWVTJlPiaPxLdgCMVUUifcNZVNc9ZkDFSmLsDZX6Qq3ez+RZygZDvJyAVip+T09tNcVCjdeG2hcmkm00Yfg/xNOpL3hvEdv48IRswLc4L5PHNJGNzi/nLtuk2kQuOQXYa7dGEPMpUrTdcjQ/tLvAFwNbd95wyIAQnwiwzjO5f7F/gdIjvLCLVC9XbpOhzsTKhOnmEn8wlT5Txx/gCEPbH4l7W8JCAuAuuY0NIKQ2JUQXTnVjoCrqtO5a0zjhhpBKniuKj9j21J/MTqjMQ75eX9pyByobp090pghdj1j8U94y5D6Io0+MmnjxEsg63NvKK3e42VYn8jXXIHiKkF707EQ/D3qGNyhfJntAloPaa/n22QqlwoXSclkVOYaqkO+RSaQYD2LCt69SibO/zEOFAtizgfvH1lKOJ2rILzWpIvTYUAQTPlZ39ErIKZYolqbdAwKEM17OqxsQZXH/sRunXYArcyrOLcBPOrkMzJN7Mh50FQNi2NYDDH5CVVB8B8lDZ8EqbZLQlljZlY2q3P0292CpLeArcut9f8YyiXgg+ou1ir4QZm8kP3lD45pTPpuqHlDTfxbjthnZZ2zUDVSNXeddhXu2vtBf6XbrfBwocX7rwJ7BXkHeLWqp3ULx2B77tcO8FTtZFBSuJiWYtJojuuMic93WNIdfXWVW0/Bcb6VYcNwa4+6oUMG0RMLSzm84cS8CguRdcB29Gq4U55jGbqS/tzSQqGLnoRNMyApVCYCCMe8L+btKT/Av8WPjiQYAFVf6Un86/NntohcLYk0DPHv4//9ua+1lqlD0Z4ml+VbnWkIhYUbqyYP7P9clz/Sa4OoBwEIKKSh4wC7iYG4GGXfVifrCh+v/H/L3LZzovEBi49nzT6EuKCxbriFJVmWUGM3rP5aEK3REc6ce+gi7Db4W3HEhppNPl9BxgJoBPjlvjG4AZKB6c6gEM9uStJtpftUtOqmVebyjD/IZ3QTKFgWA8p5+q5gOllHq9qDK+JZRJD3/7gQCWb7n40iQb/i9iTw5G98z0qWuFOy2ceUfipgbf8Uo/AnkFdfZS507PpuFGwFpqiLdpKFuJJbTa
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: ea536372-7a94-4dbb-1008-08db03103da8
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jan 2023 22:20:49.4028 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: v/W0C2bQo+4pR9ydYDT9UzbTvdA16qrgLuFzg2z7kiV4ptF+M3mnXoUN7GX0Z1EO
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR02MB6655
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ewoQPB-UGnD4fjmPyS4CIGmx0o0>
Subject: Re: [lamps] Hybrid pkix isn't needed
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jan 2023 22:20:58 -0000
I gotta say I'm with Watson basically, but open to being convinced that this stuff is needed nowish rather than being premature. Thus far, I'm very unconvinced and am also worried that a lot of the code that'd be needed will be liable to be buggy and not much exercised, which is a bad combination. On 30/01/2023 18:30, Mike Ounsworth wrote: > Especially since the NSA in their CNSA 2.0 have marked code-signing > as the most urgent use case to migrate to PQC. The idea is that a > device will leave your manufacturing facility with a burned-in trust > anchor that it should use for validating future firmware patches. For > good reason you can't change trust anchors in the field, so we need > to make sure those algorithms are going to stand the test of time for > the lifetime of the device. That's not at all convincing. As stated, we have hash-based sigs now that don't need any hybrid mechanism. S.
- [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] Hybrid pkix isn't needed Michael Markowitz
- Re: [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] Hybrid pkix isn't needed Tadahiko Ito
- Re: [lamps] Hybrid pkix isn't needed Ilari Liusvaara
- Re: [lamps] Hybrid pkix isn't needed Hubert Kario
- Re: [lamps] Hybrid pkix isn't needed Mike Ounsworth
- Re: [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] Hybrid pkix isn't needed Seo Suchan
- Re: [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] [EXTERNAL] Re: Hybrid pkix isn't need… Mike Ounsworth
- Re: [lamps] Hybrid pkix isn't needed Stephen Farrell
- Re: [lamps] Hybrid pkix isn't needed Tadahiko Ito
- Re: [lamps] Hybrid pkix isn't needed Ilari Liusvaara
- Re: [lamps] Hybrid pkix isn't needed Ilari Liusvaara
- Re: [lamps] Hybrid pkix isn't needed Carl Wallace
- Re: [lamps] [EXTERNAL] Re: Hybrid pkix isn't need… Mike Ounsworth
- Re: [lamps] Hybrid pkix isn't needed Phillip Hallam-Baker
- Re: [lamps] Hybrid pkix isn't needed Tim Hollebeek