IETF Logo Mail Archive

Re: [lamps] New drafts available - non-composite hybrid authentication, and binding certs

"aebecke@uwe.nsa.gov" <aebecke@uwe.nsa.gov> Mon, 04 April 2022 19:57 UTC

Return-Path: <aebecke@uwe.nsa.gov>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8DB83A179D for <spasm@ietfa.amsl.com>; Mon, 4 Apr 2022 12:57:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uwe.nsa.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5hx2mbMhIorn for <spasm@ietfa.amsl.com>; Mon, 4 Apr 2022 12:57:32 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on20601.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::601]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A47A53A179A for <spasm@ietf.org>; Mon, 4 Apr 2022 12:57:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KZ8aYBAoSFhC2plccNCnCYnuZNTv4g15Il8UpxvY3cRMEE8dWzbiRFLZIuIlBatnHc9H14jKOUzReUdycbw0KFfG1H5lNGor61cmQJPMG+dG6JGdOgVPclnT4C9tFT6HsmDVfAwvaDjYr+stWG/VNu9wHOHQqOjKmfQSblgnrOVjY8BKX2XoWT2AUk/RksOFYPVNlkH4u4gyErRvoklddZMRB4BVvMPTjdphRVGyUSMD6DFg+nNYL+vUWNQ/MtjbUsh+ltTr54DW+YkLicd0wXIg7VN4UNDdm0agN+yGaEBnxXGWt6W39aramLG1kC+eYusYICiBHYYCort71lGNGw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=C+UrE0fLGxASW3cv5Dtlrwvvaub/ZNSR6AeZWcarH10=; b=O5XkMZ3sfoYoTEmHpH1mHsRGnSJXIeJMNzSiK2Q7qgSKSMC5bqf/bErZ/gzjdkgDxTvaHgQs7JmkAmVg5ZAlv4AuoW5s/F0hXh38q6qe8HUQv4OfSAtd3YHAJkCZ1efNbxHPK3ZFj7hzPEwv+vP0+mFc70evqmsa5KIJXIAfvMbg4mEwkMdow3co88GR7rucWBZsG4Q4b7h1vj8VARtVTYIg6mv0ItehsdonVAEi53wvjiy0aPqc1MA0ASPeVehgkx/cToCas5YLo2QAgvihG2N2AkbZks1pGtHjXStGvZtszmL2VEWWUngGimJnSHhRs3UNRtoRQYfyHCpa/Co/sQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uwe.nsa.gov; dmarc=pass action=none header.from=uwe.nsa.gov; dkim=pass header.d=uwe.nsa.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uwe.nsa.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C+UrE0fLGxASW3cv5Dtlrwvvaub/ZNSR6AeZWcarH10=; b=BQ0ZkID3LXd53AOT0zjEA0PhvKim9EVpSH2OqOauPHLbUyvMqj5KbcynNOgLsrCvQ+YXsQSel5cVq5bZQHuBeLg5Jp6XjbIlKfpIbHewRDwJsc4q/wNcmv3+QKk4u+OjNppXPHmulKWX2Vh/ZDlS8dsiwaIaCl+5rB1lthyh97WreAasewmRDc9NIq4//Y1FlFsamSZ1u1WJsw2DdC/HE+LU+GzWjOqGste3C9yDBFaCcaKRS8z8UshhFeHrUyGmW6qUD/NozTM5wL3WsF1lnUE1Jrml1ugXu+sJclgM/XyUmLn7M9IIWF0ASOfol0Xd0TrWd8h98nGz3mF4G0ZoYg==
Received: from SA0PR09MB7241.namprd09.prod.outlook.com (2603:10b6:806:7a::24) by BLAPR09MB6145.namprd09.prod.outlook.com (2603:10b6:208:2a1::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Mon, 4 Apr 2022 19:57:28 +0000
Received: from SA0PR09MB7241.namprd09.prod.outlook.com ([fe80::c1c7:6c2b:3f1d:bbb4]) by SA0PR09MB7241.namprd09.prod.outlook.com ([fe80::c1c7:6c2b:3f1d:bbb4%9]) with mapi id 15.20.5123.031; Mon, 4 Apr 2022 19:57:28 +0000
From: "aebecke@uwe.nsa.gov" <aebecke@uwe.nsa.gov>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] New drafts available - non-composite hybrid authentication, and binding certs
Thread-Index: AQHYSF1W40PxsIO9U0KML21TkHGwIw==
Date: Mon, 4 Apr 2022 19:57:27 +0000
Message-ID: <SA0PR09MB7241BE7254D79F342076EDAFF1E59@SA0PR09MB7241.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: eafe6986-cfe7-30a1-270d-90d890256c33
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uwe.nsa.gov;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 70b3ce66-774f-41c7-129f-08da167558bb
x-ms-traffictypediagnostic: BLAPR09MB6145:EE_
x-microsoft-antispam-prvs: <BLAPR09MB6145D66153B4FA27A1BD5DF1F1E59@BLAPR09MB6145.namprd09.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EcSUCXLvJgCQeIHHjPRKHg4IJdwnB/JXitx3NhqGgrLUtac+pwId5Ti8XEkBMyoJuq7ZpFySHnM+6wmdTiPtNY/Z8lm9d1c+KV/o8sSSsyK5B6vWL82RZAmL1I5NbKyCcBz5Np3yV65tY60nGXhUnh5XaOrbhy4Z0DX5kOtzdZ7dXNmrQlRm8Qdk1kscegayWq2Z+VfjsNWGKMgbz9pUhST5sK9NYN32JVCzdUB8PgIpq4ga7L5c9Vr16q/OiPni9EEkxFHdXbg4RdJCVk7nrZCN6Y3jtGihq8xKKbpUsSMGVwyHY5A5ly1li+2SflJjJvtpyYTHRnBUnJZRFl5PUwMOExpWXcFPE1SoyIMtwPhzCGN64YWLRpScraEzgFpe2/1RgGgd/ofC+SKJ5oYhAhMbxKuVAeKi7BaHfIcQuj880gelZ+NC4cwD8+BAKyDoc60FIXhvQx3urrfRgF9ok+UmiTxNyBQhon26Vz2X6UfBVtAta9vZ83Gbi/lte7kY6ktc69E3lUL0J7e0CmEz+Gqz8fXdFNzTwmJxu0tuH0l5ZlkaKUfeACaEOv3ZitOGGtzJxWNilb6m7hivXyhM/RgjIKxV1sAJVKmnh8SJthd5KOe6CczYbfdmLhO6n4uCnXJTzsKxCAk1TXgRrXlidXHkYOVJ4kinM/Bmotfims1QZNQJD/hOWzd9pSi0CAgQ1zMP1WBUaHvbgbJCSBF18Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA0PR09MB7241.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(52536014)(5660300002)(38100700002)(83380400001)(66574015)(8936002)(186003)(2906002)(26005)(122000001)(82960400001)(33656002)(91956017)(110136005)(64756008)(66446008)(76116006)(9686003)(316002)(66556008)(66946007)(55016003)(53546011)(6506007)(508600001)(7696005)(8676002)(66476007)(38070700005)(19627405001)(86362001)(71200400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?gN84rm0+Y+ERHZgFcTCY3+8UW03B3SqE3IAW5ye3eCgRtjwc32M0eQgQwB?= =?iso-8859-1?Q?4DljdXv2yyTpqZV9chVw03MMkxamos6tQyEBT0WjhnbnrFMhdYRFIMjbmd?= =?iso-8859-1?Q?TP2MaC7bvYavuI5Q+FdhVxc5wqSvm1xcVsBqZSWdA2TV+3dldkZo+/o6Io?= =?iso-8859-1?Q?dAt0+oJNIg70XsUfzpT9UH1GCfmQ/kkwlaLo5iwlDMSb/Uf9LELiHnSvev?= =?iso-8859-1?Q?Ar5LPW0K4+AOBnaBuJh4Wo2qbpQxomzhweF06oJWySeoGs8QY9M/ngkYlR?= =?iso-8859-1?Q?fpvpotjr/l2dPt31Vb8E5ohm3CxZOpenxZU1zYDrYnAQpdnlaPKFi5g2x2?= =?iso-8859-1?Q?O7e4tQgq2Fsk10qVJGOXB+ubBj7HcPt9iaRjlfPCNKQP47fFdg1THb9L07?= =?iso-8859-1?Q?5wJvLSe8GXvk3Hf1SyyZWxEbfP4IY5VtEsHZzC3LK5Y5VaNr9FbIJRy6u5?= =?iso-8859-1?Q?a91Xo8vfnsWF5EPE/0hspJ0VYPSJj0BXK9LBeBBRDkYcqsUxZipJbP9Mwl?= =?iso-8859-1?Q?W7kK0C1obTrPlI3UIPM3zgh2xrc8sfbOC3x5vBDFCbYHfDgONn1x9dt3JR?= =?iso-8859-1?Q?/FkXtbPm/+Glm01pzQK9UxbZgRuz3RotN68KRd6lIl5hCLpNQyybJaLOxw?= =?iso-8859-1?Q?rHtI+v/u+0SjTaq9C3mn1TSzHZtaeAtDsxpRpp0Odcdb/P+nablAVOCIX2?= =?iso-8859-1?Q?BAArFn/gT9cgUl9x3m4tly+sjmpYLrxKhLKlk0xmgll8QWyezjDlpVRZL2?= =?iso-8859-1?Q?1VlgJGIcC3+SAkZWePoLoxyzqI8G+gSaPHPPpHXlvqo4sewcICDO8b+fpz?= =?iso-8859-1?Q?UKfT7GR5JwAgkVxtGw18wIj405PSnQVOdfYire3CGjxkB5ynbiZdU743Fz?= =?iso-8859-1?Q?5H4BSHr0NQXHixKTnoVD5KB4SVnESJFLedxiC0NwfRkWjlSF2nmdcS11XS?= =?iso-8859-1?Q?tPkYUQ1+LU7M8uPSsmadUmyLUUybaWTUrgjdBvsSOQlaOMlpcIzOW9NTfP?= =?iso-8859-1?Q?cMoFTt0lvcYSbKJ/X3l0moARlK/e+LaRNCInucuE6AbTKTmCaZ/GxGNsz1?= =?iso-8859-1?Q?YZ2Ofj8yvpdwX05g7EiDe7LD/uQ2QOWwLVhVv6HUsmugVo+kUaTvzSBRQO?= =?iso-8859-1?Q?vlIVOGkqwI5pqCfmh6sjeII/lMrqbGjLE8v+ATwrUw2nu5pDICdGVqVqM0?= =?iso-8859-1?Q?iT5uPD2FRfKKDpNOResPa6MjuI3aZkMSgCoYsdX7/IcvFe3NY9U5lTxMPw?= =?iso-8859-1?Q?iba9UV1PoWVGiiUaPK433kGPRB84E8ejg0qs0j2uM1rq8o8ACzpNndGfDb?= =?iso-8859-1?Q?q1H21SrFfMeqX5CR3LlQUyMQoc0mkLQYZi+DqSRYgakxIb7B0mJg4AyYsC?= =?iso-8859-1?Q?xvGpuuDF1kbdE51ZWdbAmyqPsqMiC24nxLpG32IqkaYtOxKMOJWNOddId5?= =?iso-8859-1?Q?rIlRAxieKz/TjqHsDfyiq0GkWgrb9R3PjntUuMjKZdgEOXrnvc+nGbmIWw?= =?iso-8859-1?Q?jFDBxD1HEaQMvGDFIFX4YnHLEAu9zgrUj/pwtUJI72twW3RKCBooI7f+oR?= =?iso-8859-1?Q?l7zQRmjrq0fqqfF4Wnis526Kf8zYh2NpZeTotGyY1pLz2ZgtF0PiUxP46C?= =?iso-8859-1?Q?K8WlCvz5J1tHTAYQ4tV0XvuVNuQ5fX43YWtPBwhc3EDRtH3yCIoB4Exf7u?= =?iso-8859-1?Q?NF5FdkeK/+X2+9PX8NR2q3mqUuWf2+tB2Ziyzw+AmQH8JOR1PA9zXP6iTF?= =?iso-8859-1?Q?7uiosOjaRY+sITOP00tF6fN/G0LLK9mV80HBAvGMur/n2FjcQhl8PXROxQ?= =?iso-8859-1?Q?YHeZSx2v6A=3D=3D?=
Content-Type: multipart/alternative; boundary="_000_SA0PR09MB7241BE7254D79F342076EDAFF1E59SA0PR09MB7241namp_"
MIME-Version: 1.0
X-OriginatorOrg: uwe.nsa.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA0PR09MB7241.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 70b3ce66-774f-41c7-129f-08da167558bb
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Apr 2022 19:57:27.9330 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d61e9a6f-fc16-4f84-8a3e-6eeff33e136b
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR09MB6145
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/f6jRYgaXHdBMG85jHtBok1b2GPM>
Subject: Re: [lamps] New drafts available - non-composite hybrid authentication, and binding certs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2022 19:57:38 -0000

Thanks for taking the time to read this.

The use case may not be limited to only PQ certificates, but it is the main motivation of this work. It may support the scenarios you've described, but that is really an off-label benefit and not the intended use.

Regarding policies- this extension could be useful in a number of protocols and potentially for various use cases, since it is really a tool to facilitate with certificate ownership assertion. Because of that, we may want to refrain from making too many normative statements about policy, because we anticipate that policy surrounding this extension may not be uniform, even for the single use case we specify.

- Alie

________________________________
From: Michael Richardson
Sent: Wednesday, March 30, 2022 8:19 AM
To: Alison Becker (GOV); spasm@ietf.org
Subject: Re: [lamps] New drafts available - non-composite hybrid authentication, and binding certs


aebecke@uwe.nsa.gov <aebecke=40uwe.nsa.gov@dmarc.ietf.org> wrote:
    > If the certs are from different CAs, it is possible they use different
    > practices to issue the certificates. The two certs are independently
    > valid on their own, so if the verifier likes them both - great, if the
    > verifier likes one and not the other, then it depends on if the
    > implementation can fall back to using one cert, and whether or not the
    > appropriate one is agreeable.

It seems to me that we need to be a bit more precise about the "likes them both"
part.

a) we need some words to describe the policies involved.  Why? Because it
   will need to go into requirements, and because people will have to speak
   as to what policy failed when it fails.

b) when it fails back to using one cert, we may need to communicate this fact
   to users and administrators.


Can we use this for two (or n) pre-quantum ("legacy") certificates?
Is this a general mechanism for hedging against expiration?
To avoid keeping ones eggs in one basket?
An advantage of doing that is that it excercises the code paths more
frequently.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.8.7 | Report a Bug | By Email