Re: [lamps] Hybrid pkix isn't needed
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 31 January 2023 15:46 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7493C15152B for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 07:46:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.549
X-Spam-Level:
X-Spam-Status: No, score=-1.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jwc3aSse5OVY for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 07:45:59 -0800 (PST)
Received: from mail-oa1-f44.google.com (mail-oa1-f44.google.com [209.85.160.44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56848C14CF05 for <spasm@ietf.org>; Tue, 31 Jan 2023 07:45:59 -0800 (PST)
Received: by mail-oa1-f44.google.com with SMTP id 586e51a60fabf-16346330067so19864824fac.3 for <spasm@ietf.org>; Tue, 31 Jan 2023 07:45:59 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=b2NOx3MppNdBqQ54JnUsyFl472iekDhtcN+0OKzCS8A=; b=Y/EI4nprxZfxgnmsJBhJiQdSOsqkByJalJ94UTCcjVzuEF94LqS+uxuRlNT8eHGwLN TJlYZsj0ENd6iub55IbRhwJg+capQqn5XBzdHPanHhbP+G1WpmSeTSwZ+ghcY7bjyP+k jdd6ZU3/12Qkij6i1NvtD38NWaMMv1Yq/ul0yZz1jOPsLhs+m2lm1u0ZWPjV1zTAkYgD ivbqVWiBXytiF0UFcZjk594kpNHsD2F2sWURZOSrpN8x70zRFRKZKu+TRNJP3o3cdV5/ 4QM3dU+TjVDbgaEmVNYCc4Ic0Dgm/2wbIf23rPQDKryXZ3h+27ugnh9wzIVCXERZDo2s ri4w==
X-Gm-Message-State: AO0yUKVBlEBh8ZgKFYdTUCdaSxEqE3vb9tu/UaWTQL73qHeFl1TN5Q9L 3eGTXnm2l8GCBG0NUIN4apMmbe4Bp0/UOpWDcx8=
X-Google-Smtp-Source: AK7set+2sZo3PL2sTmNS9IUDQEX+9+Y9B6X/XUxO5Rl0pYYDnS4lGImoq+mKU0KDDxgHLDyklVYyPNrPO9nuwUddcR0=
X-Received: by 2002:a05:6870:c194:b0:163:e0d6:3fb with SMTP id h20-20020a056870c19400b00163e0d603fbmr357761oad.108.1675179958355; Tue, 31 Jan 2023 07:45:58 -0800 (PST)
MIME-Version: 1.0
References: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com> <DS7PR12MB5983E36300151BFC47E5CB34AAD39@DS7PR12MB5983.namprd12.prod.outlook.com> <CH0PR11MB57392033396F181A9853FAD79FD39@CH0PR11MB5739.namprd11.prod.outlook.com> <45bf365a-540d-74cf-2e18-087575719eff@cs.tcd.ie>
In-Reply-To: <45bf365a-540d-74cf-2e18-087575719eff@cs.tcd.ie>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 31 Jan 2023 10:45:47 -0500
Message-ID: <CAMm+LwgmxYh2WzS+J5VY8EKJxj3AMhQV914wwWfXO7iJRAxhPw@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Michael Markowitz <markowitz=40infoseccorp.com@dmarc.ietf.org>, Watson Ladd <watsonbladd@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005a523605f3913a42"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/j3Z9-A3bdvSOYn_kKQqRTC3zsgM>
Subject: Re: [lamps] Hybrid pkix isn't needed
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 15:46:02 -0000
On the question of timing, my starting point is looking at the current state of Quantum Computing. Currently we have two main tracks to watch: Josephson junction machines requiring very cold temperatures to maintain the entangled state and trapped ion machines that don't. The long and short is that the first has severe scaling challenges and is at least as hard as fusion power and nobody can build a complete trapped ion machine yet. But the state of the first suggests that we could conceivably see a trapped ion machine built within ten years, albeit at low probability. If they do, the machines could be built using standard VLSI manufacturing so they will start at significant scale. So 10 years is short enough to worry about data we are encrypting but we don't actually need a PQC PKI to apply PQC to the transport layer. We can use X448 to perform an initial key exchange and layer in Khyber for the ephemeral. The tricky part is data at rest. And there our current standards are far behind what is needed to secure data at rest effectively. S/MIME messaging is only aspect of Data at Rest. CMS is also used in various Ford-Weiner key release based CRM systems. That is 1980s technology and doesn't do the job we need today. We are seeing very few breaches resulting from the flaws discovered in transport security. Almost every breach follows the same pattern: * First endpoint compromised through malware sent by mail or from Web site. * Endpoint used to collect all materials on shared drives. * Endpoint used as bridgehead to breach servers and extend attack. While everyone is calling this 'endpoint security', that misses the most important issue which is that the only reason cracking a single endpoint out of tens of thousands in Megacorp.com can bring a billion dollar enterprise to its knees is that we are not applying least privilege - the data should be encrypted. So for Data at Rest, we need PQC capabilities and threshold capabilities so we can do separation of roles. Which means we can't do it all with khyber, we need a hybrid system. On top of that, beyond support for a PQC upgrade bootstrap, I cannot imagine a situation in which I am going to desperately want a PQC signature on a document without also wanting that signature to be fixed in a notary log so I can know when it was signed. The chance of someone successfully building a quantum cryptanalysis capable computer in our lifetimes is non zero but it is much less than the likelihood of signing keys leaking. So we need hybrid. But we should not start by trying to extend PKIX, that should be the last thing we do. PKIX has already been extended multiple times and there is a vast amount of technical debt built up. That said, it is also the deployed legacy infrastructure. I have been building a next generation Threshold Key Infrastructure for four years now and in that time I have built three separate approaches. I believe that the current specification is ready for use in the real world, the standard lags a little and adding PDQ hybrid will take another few months. If you want a PKIX infrastructure that does what you really want a 21st century key infrastructure to do, what I would do is to use the Mesh as a prototype and then copy over the parts that are needed to PKIX. On Mon, Jan 30, 2023 at 5:21 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > I gotta say I'm with Watson basically, but open to being > convinced that this stuff is needed nowish rather than being > premature. Thus far, I'm very unconvinced and am also worried > that a lot of the code that'd be needed will be liable to be > buggy and not much exercised, which is a bad combination. > > On 30/01/2023 18:30, Mike Ounsworth wrote: > > Especially since the NSA in their CNSA 2.0 have marked code-signing > > as the most urgent use case to migrate to PQC. The idea is that a > > device will leave your manufacturing facility with a burned-in trust > > anchor that it should use for validating future firmware patches. For > > good reason you can't change trust anchors in the field, so we need > > to make sure those algorithms are going to stand the test of time for > > the lifetime of the device. > > That's not at all convincing. As stated, we have hash-based > sigs now that don't need any hybrid mechanism. > > S. > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] Hybrid pkix isn't needed Michael Markowitz
- Re: [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] Hybrid pkix isn't needed Tadahiko Ito
- Re: [lamps] Hybrid pkix isn't needed Ilari Liusvaara
- Re: [lamps] Hybrid pkix isn't needed Hubert Kario
- Re: [lamps] Hybrid pkix isn't needed Mike Ounsworth
- Re: [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] Hybrid pkix isn't needed Seo Suchan
- Re: [lamps] Hybrid pkix isn't needed Watson Ladd
- Re: [lamps] [EXTERNAL] Re: Hybrid pkix isn't need… Mike Ounsworth
- Re: [lamps] Hybrid pkix isn't needed Stephen Farrell
- Re: [lamps] Hybrid pkix isn't needed Tadahiko Ito
- Re: [lamps] Hybrid pkix isn't needed Ilari Liusvaara
- Re: [lamps] Hybrid pkix isn't needed Ilari Liusvaara
- Re: [lamps] Hybrid pkix isn't needed Carl Wallace
- Re: [lamps] [EXTERNAL] Re: Hybrid pkix isn't need… Mike Ounsworth
- Re: [lamps] Hybrid pkix isn't needed Phillip Hallam-Baker
- Re: [lamps] Hybrid pkix isn't needed Tim Hollebeek