IETF Logo Mail Archive

Re: [lamps] LAMPS Re-charter

Roman Danyliw <rdd@cert.org> Fri, 02 April 2021 12:40 UTC

Return-Path: <rdd@cert.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0A003A136E for <spasm@ietfa.amsl.com>; Fri, 2 Apr 2021 05:40:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V71SorurAWaF for <spasm@ietfa.amsl.com>; Fri, 2 Apr 2021 05:40:16 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 087463A136D for <spasm@ietf.org>; Fri, 2 Apr 2021 05:40:15 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 132CeElb030204; Fri, 2 Apr 2021 08:40:14 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 132CeElb030204
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1617367214; bh=Cc2dK6qqNYS7c/2iKeoqnlq2LOQzlE71+MrLadiipIc=; h=From:To:Subject:Date:References:In-Reply-To:From; b=CM64G0SwLgdQf3xGl3adiViTSDFA5xSr+mbGW0cj6Uxq4m8Pie8Z0h+Pq3BNJ2Da3 xyuyC51nn9hacD1fHsL9TUCvlgV5fbFWUHG6hS0193YnF6sMZeltazmO26AeUymWJh jxofuTVUZrLS8wzSXqhZ5Yj/vWar2ZAZtfMJYWnU=
Received: from MURIEL.ad.sei.cmu.edu (muriel.ad.sei.cmu.edu [147.72.252.47]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 132CeBtE005523; Fri, 2 Apr 2021 08:40:12 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Fri, 2 Apr 2021 08:40:11 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.2106.013; Fri, 2 Apr 2021 08:40:11 -0400
From: Roman Danyliw <rdd@cert.org>
To: Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] LAMPS Re-charter
Thread-Index: AQHXG3yqpwAcM6U5jEq2zZWhMzJcDKqWmEIAgAAEnwCAAAqpgIAIKcKAgAJyB6A=
Date: Fri, 02 Apr 2021 12:40:10 +0000
Message-ID: <fe265516dce247ba9b7aea94eda48e27@cert.org>
References: <5A22DF7B-BCA5-42F6-BB95-D4F70FDB1996@vigilsec.com> <951CAF0F-7461-4057-B95E-D1F6CAE61D02@vigilsec.com> <4c18a9982cc94df2952d7b2cbae89d99@cert.org> <7B82765F-9C7A-4C4D-B115-A2835B44E6D6@vigilsec.com> <b3fdb1ac051b4ae0ad748782daebead2@cert.org> <ACE141CD-B0B7-45D3-B54F-BE25275A0D25@vigilsec.com> <CALhKWgjB_RVGaQriPbero6eWTdaD4JaVqmHLjHHsqsjrBHUrFA@mail.gmail.com> <EF24C291-BE2D-40A6-8916-84F62DA78559@vigilsec.com> <EECA1CAC-54EA-4A19-931C-0383A28E9111@vigilsec.com> <6381BB73-C84E-4191-BA71-77D65D63D53A@vigilsec.com>
In-Reply-To: <6381BB73-C84E-4191-BA71-77D65D63D53A@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.203.41]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/gitRvVGqV4jKToWvhkaw472Ridk>
Subject: Re: [lamps] LAMPS Re-charter
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Apr 2021 12:40:21 -0000

Hi!

I have added this new text and milestones as a draft charter -- https://datatracker.ietf.org/doc/charter-ietf-lamps/.  My plan is to add it to next week's IESG telechat for initial  review.

Roman

> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> Sent: Wednesday, March 31, 2021 3:18 PM
> To: LAMPS <spasm@ietf.org>
> Subject: Re: [lamps] LAMPS Re-charter
> 
> I only heard positive responses, so I am now sending this to the SEC ADs for
> charter processing.  For the archive, the text is below.
> 
> Russ
> 
> = = = = = = = =
> 
> The PKIX and S/MIME Working Groups have been closed for some time. Some
> updates have been proposed to the X.509 certificate documents produced by
> the PKIX Working Group and the electronic mail security documents produced
> by the S/MIME Working Group.
> 
> The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working
> Group is chartered to make updates where there is a known constituency
> interested in real deployment and there is at least one sufficiently well
> specified approach to the update so that the working group can sensibly
> evaluate whether to adopt a proposal.
> 
> The LAMPS WG is now tackling these topics:
> 
> 1. Specify the use of short-lived X.509 certificates for which no revocation
> information is made available by the Certification Authority.
> Short-lived certificates have a lifespan that is shorter than the time needed to
> detect, report, and distribute revocation information.  As a result, revoking
> short-lived certificates is unnecessary and pointless.
> 
> 2. Update the specification for the cryptographic protection of email headers --
> both for signatures and encryption -- to improve the implementation situation
> with respect to privacy, security, usability and interoperability in
> cryptographically-protected electronic mail.
> Most current implementations of cryptographically-protected electronic mail
> protect only the body of the message, which leaves significant room for attacks
> against otherwise-protected messages.
> 
> 3. The Certificate Management Protocol (CMP) is specified in RFC 4210, and it
> offers a vast range of certificate management options.  CMP is currently being
> used in many different industrial environments, but it needs to be tailored to
> the specific needs of such machine-to-machine scenarios and communication
> among PKI management entities.  The LAMPS WG will develop a "lightweight"
> profile of CMP to more efficiently support of these environments and better
> facilitate interoperable implementation, while preserving cryptographic
> algorithm agility.  In addition, necessary updates and clarifications to CMP will
> be specified in a separate document.  This work will be coordinated with the
> LWIG WG.
> 
> 4. Provide concrete guidance for implementers of email user agents to promote
> interoperability of end-to-end cryptographic protection of email messages.
> This may include guidance about the generation, interpretation, and handling
> of protected messages; management of the relevant certificates;
> documentation of how to avoid common failure modes; strategies for
> deployment in a mixed environment; as well as test vectors and examples that
> can be used by implementers and interoperability testing.  The resulting robust
> consensus among email user agent implementers is expected to provide more
> usable and useful cryptographic security for email users.
> 
> 5. Recent progress in the development of quantum computers pose a threat to
> widely deployed public key algorithms.  As a result, there is a need to prepare
> for a day when cryptosystems such as RSA, Diffie-Hellman, ECDSA, ECDH, and
> EdDSA cannot be depended upon in the PKIX and S/MIME protocols.
> 
> 5.a. NIST has a Post-Quantum Cryptography (PQC) effort to produce one or
> more quantum-resistant public-key cryptographic algorithm standards.
> The LAMPS WG will specify the use of these new PQC public key algorithms
> with the PKIX certificates and the Cryptographic Message Syntax (CMS).
> These specifications will use object identifiers for the new algorithms that are
> assigned by NIST.
> 
> 5.b. NIST and other organizations are developing standards for post-quantum
> cryptographic (PQC) algorithms that that will be secure even if large-scale
> quantum computers are ever developed.  However, a lengthy transition from
> today's public key algorithms to PQC public key algorithms is expected; time
> will be needed to gain full confidence in the new PQC public key algorithms.
> 
> 5.b.i. The LAMPS WG will specify formats, identifiers, enrollment, and
> operational practices for "hybrid key establishment" that combines the shared
> secret values one or more traditional key-establishment algorithm and one or
> more NIST PQC key-establishment algorithm or a PQC key-establishment
> algorithm vetted by the CFRG.  The shared secret values will be combined using
> HKDF (see RFC 5869), one of the key derivation functions in NIST SP 800-56C,
> or a key derivation function vetted by the CFRG.
> 
> 5.b.ii. The LAMPS WG will specify formats, identifiers, enrollment, and
> operational practices for "dual signature" that combine one or more traditional
> signature algorithm with one or more NIST PQC signature algorithm or a PQC
> algorithm vetted by the CFRG.
> 
> In addition, the LAMPS WG may investigate other updates to documents
> produced by the PKIX and S/MIME WG. The LAMPS WG may produce
> clarifications where needed, but the LAMPS WG shall not adopt anything
> beyond clarifications without rechartering.
> 
> MILESTONES
> 
> Task 1:
> Jul 2021 	Adopt a draft for short-lived certificate conventions
> Mar 2022 	Short-lived certificate conventions sent to IESG for BCP
> publication
> 
> Task 2:
> DONE     	Adopt a draft for header protection conventions
> Nov 2021 	Header protection conventions sent to IESG for standards track
> publication
> 
> Task 3:
> DONE     	Adopt a draft for CMP updates
> DONE     	Adopt a draft for CMP algorithm
> DONE     	Adopt a draft for Lightweight CMP profile
> Dec 2021 	CMP updates sent to IESG for standards track publication
> Dec 2021 	CMP algorithms sent to IESG for standards track publication
> Dec 2021 	Lightweight CMP profile sent to IESG for informational
> publication
> 
> Task 4:
> May 2021    Adopt a draft for end-to-end email user agent guidance
> Jul 2022    End-to-end email user agent guidance sent to IESG for informational
> publication
> 
> Task 5.a:
> Aug 2021    Adopt draft for PQC KEM public keys in PKIX certificates
> Aug 2021    Adopt draft for PQC KEM algorithms in CMS
> Sep 2021    Adopt draft for PQC signatures in PKIX certificates
> Sep 2021    Adopt draft for PQC signatures in CMS
> 
> Task 5.b.i:
> Sep 2021    Adopt draft for public keys for hybrid key establishment in PKIX
> certificates
> Sep 2021    Adopt draft for hybrid key establishment in CMS
> 
> Task 5.b.ii:
> Sep 2021    Adopt draft for dual signatures in PKIX certificates
> Sep 2021    Adopt draft for dual signature in CMS
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email