Re: [lamps] [Pqc] Auditing HBS state usage

"Fregly, Andrew" <afregly@verisign.com> Tue, 31 January 2023 21:35 UTC

Return-Path: <afregly@verisign.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B116C151707; Tue, 31 Jan 2023 13:35:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OjmHC9ADNNr8; Tue, 31 Jan 2023 13:35:20 -0800 (PST)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29CC0C151551; Tue, 31 Jan 2023 13:35:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=24198; q=dns/txt; s=VRSN; t=1675200920; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=LmDobj/m1jkud5veMlZdqx3JL1pULmkadSceU1XMR/k=; b=jPWG0pqwHKdL5qbOAc7HB8G8A7fW2BqfzxSw6yoUr/E1A8cCBfeGhDab VT289YvhqYTp7BJUl9VaUNPm6KkcK9T4N2kKW2wu+GUKEK4mV0Gjxnmr2 pd6NMLxQudrzeJHVL1PuyTOegdR2cNCWGpNa2UQMEmKRZngZe6lV91wC+ 4n/mc3W3bZC6h/zPv6xdpIUQZLCAgWkDaJCXsVMrtBHD+QiBIH1QjLZdh C8spQ4cr1IIDUjlkczhCQpMUmjrA6ozkFlNy/xEo+YtPi4jxzio5Kyipy KEh8616NYaSU/dqJ3vl+CLFOsCEULqV3+HgP/NXjtTRkxuID9bZMtdiOS A==;
IronPort-Data: A9a23:Mb6Pwq7sbUFarkeIqe0lNAxRtLPGchMFZxGqfqrLsTDasY5as4F+v mYYXziGM/uIMDTzf9p1b9+y8htSvsDdm4VhQANt+HpjEysa+MHIO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvymTras1hlZHWdMUD0mhQ9oh9k3i4tphcnRKw6Ws LsemeWGULOe82MyYz18B56r8ks156yr42pA5TTSWNgQ1LPgvyhNZH4gDfzpR5fIatE8NvK3Q e/F0Ia48gvxl/v6Ior4+lpTWhRiro/6ZWBiuFIPM0SRqkEqShgJ70oOHKF0hXF/0GzVwo8rm L2hgrTrIeshFvWkdO01DUEEQ3kmVUFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5m5 /wDLQ9dMxC4rv+Vzoy3VOxNocMZI5y+VG8fkikIITDxLNIJGK/lbpWSv5lG1zAqnoZHEbDAf dEfLzFoaXwsYTUWYhFNVMx4xbrywCOhG9FbgAv9Sa4f6mbJwQN1wZDzPcDUYd2FQ4NemUPwS mfupT+oW0BCbYL3JTyt3HT81+6fgSHCc6EuRLi+09NzpFKqyTlGYPERfR7hyRWjsWalVdZCK 1YZ4AIlrLM58wqgSdyVdzi5o3PCmQMaQMVXCfE6vV3Vx6zI+RuCGi4PSTtpZNkvrsRwRDE22 BmOhdyBLT93ubuSUifBrr6RpCG1P24eKmoqaSoNVwBD4tT/rsc0lB2nZt9lDKmzj9qzBzjx2 TmitykzgrgVlogA0KDT1UvfiimpjpnEUgBz4R/YNkqp9Ap3eMuqbp6k4Fee/asYfcOZR0KB+ WMFlNPY5f0SDZaXjwSMTfkDWraz6J6tKCTXqV9iA5dn8C6ik0NPZqhR5D4nO0FkIp5ePCT3e gnWuBgU7pgVPX+lNOlpeZm3Tc8tyMAMCOjYaxwdVfIWCrAZSeNN1HgGiZK4t4w1rHURrA==
IronPort-HdrOrdr: A9a23:IMxO+akMJ77mAeBeB8xMiZ7XGFjpDfL83DAbv31ZSRFFG/Fwz/ re+Mjy1XfP5Ar4wBkb6K290dq7MBThHPlOkPUs1NaZLXPbUQSTTL2KgbGJ/9SkIVyaygc/79 YeT0EdMqySMbESt6+TizVQUexQouVvm5rGuQ6q9RZQpHZRBZ2IgT0VNu/RKDwReOAPP+tBKH LXjPA33wZIV05nFfiGOg==
X-IronPort-AV: E=Sophos;i="5.97,261,1669075200"; d="scan'208";a="23919016"
Received: from ILG1WNEX01.vcorp.ad.vrsn.com (10.246.152.25) by ILG1WNEX02.vcorp.ad.vrsn.com (10.246.152.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Tue, 31 Jan 2023 16:35:18 -0500
Received: from ILG1WNEX01.vcorp.ad.vrsn.com ([10.246.152.25]) by ILG1WNEX01.vcorp.ad.vrsn.com ([10.246.152.25]) with mapi id 15.01.2507.016; Tue, 31 Jan 2023 16:35:18 -0500
From: "Fregly, Andrew" <afregly@verisign.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, "Vaira, Antonio" <antonio.vaira@siemens.com>
CC: LAMPS <spasm@ietf.org>, "draft-gazdag-x509-hash-sigs.authors@ietf.org" <draft-gazdag-x509-hash-sigs.authors@ietf.org>, "pqc@ietf.org" <pqc@ietf.org>
Thread-Topic: [Pqc] [lamps] Auditing HBS state usage
Thread-Index: AQHZNbvpbr/BsgKfQUOOrCA76s6IiQ==
Date: Tue, 31 Jan 2023 21:35:18 +0000
Message-ID: <B9FA096A-CA03-4DEA-81D6-89E86B8B42D6@verisign.com>
References: <08C331ED-453C-4812-955A-F2161B960329@vigilsec.com> <3439f87bb3bb4a199f706b791cba6b6a@bsi.bund.de> <6828097d5b5b4beabb0c4243b150077f@amazon.com> <99a43b5f4620438a9cb7ca539f70dbcb@bsi.bund.de> <DU0PR10MB5244B1BC5E40204EDBD0AFD1E0D09@DU0PR10MB5244.EURPRD10.PROD.OUTLOOK.COM> <d86eb6d6b0be4f58a51377bde590c521@amazon.com> <CH0PR11MB57396CB5F9341759B023A9309FD09@CH0PR11MB5739.namprd11.prod.outlook.com> <DM4PR11MB545523D89F48FB36083FD3E5C1D09@DM4PR11MB5455.namprd11.prod.outlook.com>
In-Reply-To: <DM4PR11MB545523D89F48FB36083FD3E5C1D09@DM4PR11MB5455.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.68.22121100
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <C670EDC687152E4B81CEDFDCB979EDD0@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/g2mfMNdkTqNjF7RaO82JyOdTBC8>
Subject: Re: [lamps] [Pqc] Auditing HBS state usage
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 21:35:25 -0000

State auditing based on embedded state in signatures may be quite challenging when distributed signing processes are used for hash-based signatures. Consider the scenario where HSMs are allocated to separate lower levels of a hierarchical tree structure. This is the scenario currently required for distributed signing with HSS or XMSS^MT to be in compliance with NIST SP 800-208. It is described in section 7 of that document.

Andy Fregly

On 1/31/23, 1:10 PM, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com <mailto:sfluhrer@cisco.com>> wrote:


Actually, it's not that hard to extract the current state from either an XMSS(^MT) or LMS/HSS signature.


For XMSS and XMSS^MT, the current state is at a fixed place in the signature.


For HSS, the state is scattered in the signature; however it's not *that* hard to retrieve...


So, expressing the current state explicitly in the certificate might make things a bit easier; however it doesn't fundamentally change anything


> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Mike Ounsworth
> Sent: Tuesday, January 31, 2023 10:51 AM
> To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org <mailto:40amazon.com@dmarc.ietf.org>>; Vaira,
> Antonio <antonio.vaira@siemens.com <mailto:antonio.vaira@siemens.com>>
> Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>; draft-gazdag-x509-hash-sigs.authors@ietf.org <mailto:draft-gazdag-x509-hash-sigs.authors@ietf.org>;
> pqc@ietf.org <mailto:pqc@ietf.org>
> Subject: Re: [lamps] Auditing HBS state usage
> 
> [changing title, and adding PQUIP list]
> 
> > - my understanding of stateful HBS schemes is that the state of the private
> key can be uniquely identified by the authentication path that is part of the
> signature. Could we think to derive a unique value, out of this authentication
> path and embed it into a certificate field? Maybe such certificate can be
> further published, for example on CT, to allow public scrutiny of the CA
> operations?
> 
> Interesting idea!
> Basically, explicitly put the private key state in the signature for easy auditing.
> 
> 
> IMO the list of certificates issued by a CA is already well tracked and audited.
> IMO if we're gonna get ourselves into trouble with over-using a HBS key, it's
> gonna be uses of the CA key for things other than certificate signing; like a
> stuck process that re-issues the same CRL 500 times, or a CA set up for direct
> OCSP or CMP signing with the CA key, or .. who knows .. some CA software
> that uses the CA key for backend TLS connections, or that uses the CA key to
> sign audit records. All things that are completely not a problem today, so
> developers and ops personnel might not even think about them when
> moving to a HBS CA key.
> 
> I like the idea of auditing signatures and private key states, but I think for it to
> be effective you have to audit every signature performed by the HSM to
> make sure you're catching "the weird stuff" that might not otherwise get
> audited. In my mind, this is in the bucket of "quality of life features" that
> HSM vendors will need to build in to their products that support HBS.
> 
> ---
> Mike Ounsworth
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Kampanakis, Panos
> Sent: Tuesday, January 31, 2023 9:28 AM
> To: Vaira, Antonio <antonio.vaira@siemens.com <mailto:antonio.vaira@siemens.com>>
> Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>; draft-gazdag-x509-hash-sigs.authors@ietf.org <mailto:draft-gazdag-x509-hash-sigs.authors@ietf.org>
> Subject: [EXTERNAL] Re: [lamps] draft-gazdag-x509-hash-sigs-00
> 
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the
> content is safe.
> 
> ________________________________________________________________
> ______
> Hi Antonio,
> 
> > - my understanding of stateful HBS schemes is that the state of the private
> key can be uniquely identified by the authentication path that is part of the
> signature. Could we think to derive a unique value, out of this authentication
> path and embed it into a certificate field? Maybe such certificate can be
> further published, for example on CT, to allow public scrutiny of the CA
> operations?
> 
> Interesting. Indeed, Stateful leaf HBS certs (which will include the tree
> verification path) could be published so auditors or verifiers could attest that
> state was not reused. For the Web there is CT so that would be relatively
> straightforward. But given these certs will not be used for the Web, it
> probably does not help much. In a code signing case, a signer vendor that
> signs its software would need to publish all HBS signatures basically for them
> to be auditable to confirm state/OTS public key was not reused. It would be
> operational overhead for vendors though to make all their signatures
> available.
> 
> There is the threat model that is important here as well. If I am the verifier of
> company X created by company X to verify company X's software signatures,
> do I need to audit company X's signing did not reuse SHBS state? Probably
> not because I trust the signer who is probably auditing internally. But still, a
> published code signing repo of all (Root signatures and ICA issued signatures
> and software signatures) could provide assurance to 3rd parties that want to
> be sure. It still is not perfect because someone could argue that some failure
> scenario while signing may have reused state but the signature did not show
> up in the published signatures, but it certainly raises trust.
> 
> 
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Vaira, Antonio
> Sent: Tuesday, January 31, 2023 7:33 AM
> To: Kousidis, Stavros <stavros.kousidis=40bsi.bund.de@dmarc.ietf.org <mailto:40bsi.bund.de@dmarc.ietf.org>>;
> Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org <mailto:40amazon.com@dmarc.ietf.org>>
> Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>; draft-gazdag-x509-hash-sigs.authors@ietf.org <mailto:draft-gazdag-x509-hash-sigs.authors@ietf.org>
> Subject: RE: [EXTERNAL][lamps] draft-gazdag-x509-hash-sigs-00
> 
> CAUTION: This email originated from outside of the organization. Do not click
> links or open attachments unless you can confirm the sender and know the
> content is safe.
> 
> 
> 
> Dear Stavros, Dear Panos,
> 
> I hope I am not intruding this conversation, I would like to add a couple of
> personal considerations:
> 
> - I believe that we will also need to have "stateful HBS ICAs", to at least sign
> "stateful HBS code-signing certificates". This would allow a relying party to
> validate the code-signing certificates, and its associated certificate chain, by
> verifying only one type of digital signatures, which in this case would be a
> stateful HBS scheme. This type of ICAs may be handled as RootCA, so
> probably there is not much to add to the security considerations.
> - my understanding of stateful HBS schemes is that the state of the private
> key can be uniquely identified by the authentication path that is part of the
> signature. Could we think to derive a unique value, out of this authentication
> path and embed it into a certificate field? Maybe such certificate can be
> further published, for example on CT, to allow public scrutiny of the CA
> operations?
> - on a more generic note, the recent publication of CNSA 2.0, despite
> applying only to NSS, may trigger other regulatory bodies, which may be
> transversal to the scope of NSS, to adopt similar guidelines. Therefore I think
> we might have to deal with stateful HBS sooner than later.
> 
> - @Stavros: it would be very interesting to know more about how you plan to
> handle the requirements from §7 of NIST SP 800-208.
> > in my understanding, to fulfil the requirements set forth in this section
> one would that initializing several hypertrees on different HSMs. One or
> more HSMs may be used immediately and the remaining should be securely
> stored for later use (as disaster recovery mechanism for example). I think
> this approach might prove to be quite cumbersome, at least over a long
> period of time (which is intended use of stateful HBS).
> > do you see additional approaches that would allow to comply with the
> requirements from §7 of NIST SP 800-208?
> 
> 
> Many thanks
> Antonio Vaira
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Kousidis, Stavros
> Sent: Monday, 23 January 2023 09:33
> To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org <mailto:40amazon.com@dmarc.ietf.org>>
> Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>; draft-gazdag-x509-hash-sigs.authors@ietf.org <mailto:draft-gazdag-x509-hash-sigs.authors@ietf.org>
> Subject: Re: [lamps] draft-gazdag-x509-hash-sigs-00
> 
> Dear Pano,
> 
> thank you for your comments and suggestions, and sorry for the late reply.
> 
> The typical use case we have in mind are root and (potentially also
> subordinate) CAs which are using an HSM for cert signing that ensures the
> secure handling of the state. When discussing this in the security
> considerations we would also stress on NISTs proposal to use "Distributed
> Multi-Tree Hash-Based Signatures" (see NIST SP 800-208 §7) as a design to
> further ensure that states are handled appropriately.
> 
> We have tracked the other use cases you mentioned as an issue in in our
> repository. I think Stefan Gazdag has some experience here and we will
> discuss how to incorporate your suggestions in the security considerations.
> 
> Best
> Stavros
> 
> -----Ursprüngliche Nachricht-----
> Von: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org <mailto:40amazon.com@dmarc.ietf.org>>
> Gesendet: Donnerstag, 29. Dezember 2022 18:23
> An: Kousidis, Stavros <stavros.kousidis@bsi.bund.de <mailto:stavros.kousidis@bsi.bund.de>>
> Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>; draft-gazdag-x509-hash-sigs.authors@ietf.org <mailto:draft-gazdag-x509-hash-sigs.authors@ietf.org>
> Betreff: RE: [lamps] draft-gazdag-x509-hash-sigs-00
> 
> One more comment regarding draft-gazdag-x509-hash-sigs.
> 
> Stateful HBS had come up previously for X.509 and some participants voiced
> serious concerns
> https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.co <https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.co>
> m/?url=https*3A*2F*2Fmailarchive.ietf.org*2Farch*2Fmsg*2Fspasm*2FDKP
> DfaQZxF5_De9BYuoWsRKp4gM*2F&data=05*7C01*7Cantonio.vaira*40siem
> ens.com*7C42f367be82dd413a64ae08dafd1c9a04*7C38ae3bcd95794fd4add
> ab42e1495d55a*7C1*7C0*7C638100596561496300*7CUnknown*7CTWFpbG
> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> Mn0*3D*7C3000*7C*7C*7C&sdata=h25km8rodm9XTku1Chgjffe*2BEm9dOR
> sXhMwrrDhcVzQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FJ-
> Y8qCqXTj2!esBnp7Nl7B1z9kQbd2Cr_cAnMTdMiIqi4_tPkbBohCOjROZnG7We
> Ocu5HmlSVFHnbif3t0MFYttHiFf4DUHO8hDBsvLpjr-H6OhAlgSN8g$ A
> summary of the counter-arguments could be that CAs have messed up
> before, how can we rest assured they will not reuse state.
> 
> I think your argument for Stateful HBS in this draft is only for root CAs which
> sign a few ICAs and then go to sleep and rarely wake up. Maybe another use
> is for code-signing EKU certs where the signer controls its signing process and
> the verifiers trust it. The draft also mentions subordinate CA certificates. I
> don't think these are good use-cases for stateful HBS. I would suggest for the
> draft to clearly stress the potentially use-cases for Stateful HBS. Also I suggest
> for the security considerations section to stress the importance and how you
> envision these use-cases will be able to address the state concern. For
> example a Root CA uses an HSM and signs very few ICA certs and then goes
> offline. Another example is a code-signer keeps track of all its signatures and
> can go back and attest the state was not reused periodically and its verifiers
> usually trust the signer. Another one could be the state look ahead where
> you retrieve x states and change your pointer before you even start signing
> anything.
> 
> 
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Kousidis, Stavros
> Sent: Saturday, December 24, 2022 12:11 AM
> To: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>
> Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>; draft-gazdag-x509-hash-sigs.authors@ietf.org <mailto:draft-gazdag-x509-hash-sigs.authors@ietf.org>
> Subject: RE: [EXTERNAL][lamps] draft-gazdag-x509-hash-sigs-00
> 
> CAUTION: This email originated from outside of the organization. Do not click
> links or open attachments unless you can confirm the sender and know the
> content is safe.
> 
> 
> 
> Dear Russ,
> 
> thank you for the information.
> 
> In the next version we will adopt the "OCTET STRING" definition of RFC 8708
> for HSS and apply this also to XMSS/XMSS^MT. The same applies to
> SPHINCS+ where we will adopt the definition of "draft-ietf-lamps-cms-
> sphincs-plus-01".
> 
> Best
> Stavros
> 
> -----Ursprüngliche Nachricht-----
> Von: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>
> Gesendet: Freitag, 23. Dezember 2022 18:12
> An: draft-gazdag-x509-hash-sigs.authors@ietf.org <mailto:draft-gazdag-x509-hash-sigs.authors@ietf.org>
> Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>
> Betreff: [lamps] draft-gazdag-x509-hash-sigs-00
> 
> Dear I-D Authors:
> 
> RFC 8708 has this definition:
> 
> HSS-LMS-HashSig-PublicKey ::= OCTET STRING
> 
> This will carry the bytes as defined in RFC 8554.
> 
> draft-gazdag-x509-hash-sigs-00 says:
> 
> HSS-HashSig-PublicKey ::= SEQUENCE {
> levels OCTET STRING, -- number of levels L
> tree OCTET STRING, -- typecode of top-level LMS tree
> ots OCTET STRING, -- typecode of top-level LM-OTS
> identifier OCTET STRING, -- identifier I of top-level LMS key pair
> root OCTET STRING -- root T[1] of top-level tree
> }
> 
> This will produce a different byte string than RFC 8554. I think this is a
> problem. There should only be one way to encode the HSS/LMS public key.
> 
> Russ
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.co <https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.co>
> m/?url=https*3A*2F*2Fwww.ietf.org*2Fmailman*2Flistinfo*2Fspasm&data=
> 05*7C01*7Cantonio.vaira*40siemens.com*7C42f367be82dd413a64ae08dafd
> 1c9a04*7C38ae3bcd95794fd4addab42e1495d55a*7C1*7C0*7C63810059656
> 1496300*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=BzfXk7I
> kssXiXjWumPeivk5qXUsPP2tXjqRJZXx3QB8*3D&reserved=0__;JSUlJSUlJSUlJSU
> lJSUlJSUlJSUlJQ!!FJ-
> Y8qCqXTj2!esBnp7Nl7B1z9kQbd2Cr_cAnMTdMiIqi4_tPkbBohCOjROZnG7We
> Ocu5HmlSVFHnbif3t0MFYttHiFf4DUHO8hDBsvLpjr-H6OirgtotNA$
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.co <https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.co>
> m/?url=https*3A*2F*2Fwww.ietf.org*2Fmailman*2Flistinfo*2Fspasm&data=
> 05*7C01*7Cantonio.vaira*40siemens.com*7C42f367be82dd413a64ae08dafd
> 1c9a04*7C38ae3bcd95794fd4addab42e1495d55a*7C1*7C0*7C63810059656
> 1496300*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l
> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=BzfXk7I
> kssXiXjWumPeivk5qXUsPP2tXjqRJZXx3QB8*3D&reserved=0__;JSUlJSUlJSUlJSU
> lJSUlJSUlJSUlJQ!!FJ-
> Y8qCqXTj2!esBnp7Nl7B1z9kQbd2Cr_cAnMTdMiIqi4_tPkbBohCOjROZnG7We
> Ocu5HmlSVFHnbif3t0MFYttHiFf4DUHO8hDBsvLpjr-H6OirgtotNA$
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm_ <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm_>
> _;!!FJ-
> Y8qCqXTj2!esBnp7Nl7B1z9kQbd2Cr_cAnMTdMiIqi4_tPkbBohCOjROZnG7We
> Ocu5HmlSVFHnbif3t0MFYttHiFf4DUHO8hDBsvLpjr-H6OgQtC7kZg$
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm_ <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm_>
> _;!!FJ-
> Y8qCqXTj2!esBnp7Nl7B1z9kQbd2Cr_cAnMTdMiIqi4_tPkbBohCOjROZnG7We
> Ocu5HmlSVFHnbif3t0MFYttHiFf4DUHO8hDBsvLpjr-H6OgQtC7kZg$
> Any email and files/attachments transmitted with it are confidential and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If this message has been sent to you in error, you must not copy,
> distribute or disclose of the information it contains. Please notify Entrust
> immediately and delete the message from your system.
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>