Re: [lamps] Draft LAMPS Recharter

Russ Housley <> Wed, 02 May 2018 20:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5C1791242F7 for <>; Wed, 2 May 2018 13:45:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TIpCEwWMl1_K for <>; Wed, 2 May 2018 13:45:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6146012DA23 for <>; Wed, 2 May 2018 13:45:26 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 451B3300A43 for <>; Wed, 2 May 2018 16:45:24 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id Ir7CIwvBSfvm for <>; Wed, 2 May 2018 16:45:22 -0400 (EDT)
Received: from a860b60074bd.home ( []) by (Postfix) with ESMTPSA id C4421300A3E; Wed, 2 May 2018 16:45:22 -0400 (EDT)
From: Russ Housley <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D460871A-260E-4C78-A4FA-2C5016503193"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 02 May 2018 16:45:23 -0400
In-Reply-To: <>
Cc: LAMPS <>
To: Panos Kampanakis <>
References: <> <> <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [lamps] Draft LAMPS Recharter
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 May 2018 20:45:28 -0000

> On May 2, 2018, at 4:36 PM, Panos Kampanakis (pkampana) <> wrote:
> Hi Russ,
> Looks great. One minor correction: 
> s/they will probably not be used for signing X.509 certificates or S/MIME messages,/they might not be used for signing X.509 certificates or S/MIME messages,


> And one question about 4. I think I didn’t see many comments on this one in the recharter email thread. I have a concern that draft-housley-cms-mix-with-psk will not see great deployment. draft-ietf-ipsecme-qr-ikev2 is similar, but given the existing IKEv2 wide deployment, draft-ietf-ipsecme-qr-ikev2 had to exist as temporary solution in order to prevent downgrades to IKEv1 because of QC concerns. I don’t see the same issue for CMS. And given the challenge with establishing the PSK, it will likely not see wide adoption before the NIST PQ Project standardizes on PQ algorithms that can go into CMS.

I asked our AD about this, and he felt that a near-term CMS solution was worth discussing.  The IKE environment is somewhat different, and it is worth discussing the size of the group that would need access to the PSK for this to be viable.  Obviously, it is not a PSK if everyone on the public Internet has access to it.