IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic

Santosh Chokhani <santosh.chokhani@gmail.com> Wed, 27 April 2022 14:43 UTC

Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F23B4C14F746 for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 07:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ady9TFWqtxey for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 07:43:51 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FAD6C23BE8C for <spasm@ietf.org>; Wed, 27 Apr 2022 07:43:21 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id t11so1247839qto.11 for <spasm@ietf.org>; Wed, 27 Apr 2022 07:43:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=cmFogTiA6a4+f65nL1CdJRvsqq7G3GPJBKxDW39HZT8=; b=A5i9oR1kD4f+iZPhcS14xOYHipXz9U5EquLj/F4zq8fhaBNy6czBveoA9LQpfCTbjU nu536rbXDlVpel5LmYHZlKtGHpMNrSZpVj/oLDlbSC1Bc/QBqlZSPmIlb1cdKWYjYCkV +vqfphX44D9OushlCfpAPQx51EkXHO8iUEhUlAVVu4KXayBBhUH6AIjemxVqynEZ1GGD p2+GeefSA46xdZF5n2nK8nFtVVODfLWuwpLRvmFNCx5n9XvxXzTHrhikrlQssy8skJE1 8LCmeHe9SgEkKg/DMzZ7axZeWN+sldKWBffvfGiwkC9EDuJOuB2LS5krUAo7OW6rduxR bFlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=cmFogTiA6a4+f65nL1CdJRvsqq7G3GPJBKxDW39HZT8=; b=h0h+NeJ4MJA445WuEcWgJZk1xlbpg3sgOxPfbjywOMFUwzJlyfKwJMeGVRFD9RYZHB CKNq10qtyrZCTdADpyVi7IwisGE469II3wyroVvxMYrBmLH17m+It3Ct7OELypRua1nT Q4tKbf3NlUklH6QjmhH4EMthfOu0w4QC3RMZgxc6IidlL8C4eiGvo6HWprGUtplcJjDL 4dWEiRKSzoeINvfEhqepFQpMnFy5jGV6RUmUcCZAynw4cyi1RKjUK1Ei+zjoMzbe3p4d Ig7FMAujs5OpUadkOgQOce4BcoKmVDhUKSQAb1TQQJssgrA622jKE/cbHyXj9TkJprzK 4wcQ==
X-Gm-Message-State: AOAM531LTCmPVlZuTG8eYQetygvI2+5ETZcW4uVhbZmVTbSbGINIsTKX iPC2EhjnhozLy3mxb96sulbYy8F7jn/yZw==
X-Google-Smtp-Source: ABdhPJx1wsmFKg/VpmjYA3npNNYe7u7tvaJkoVBR5vfe4yEMGhLWzZvycbdLueCF4K5w7hJrZOLx2g==
X-Received: by 2002:ac8:5753:0:b0:2e1:ed23:1991 with SMTP id 19-20020ac85753000000b002e1ed231991mr19401336qtx.615.1651070599805; Wed, 27 Apr 2022 07:43:19 -0700 (PDT)
Received: from SantoshBrain (pool-96-255-230-78.washdc.fios.verizon.net. [96.255.230.78]) by smtp.gmail.com with ESMTPSA id x9-20020a05622a000900b002f37b3537eesm3000612qtw.1.2022.04.27.07.43.18 for <spasm@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Apr 2022 07:43:18 -0700 (PDT)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'LAMPS' <spasm@ietf.org>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <29E39FB1-D8E5-40E9-AFC0-5A8EBBB705DF@vigilsec.com> <DM6PR11MB38025338B4FA3AED0AA99E3196F79@DM6PR11MB3802.namprd11.prod.outlook.com> <1312783.1650733573@dooku> <423419504256427b83c889f9b5c607b7@EX13D01ANC003.ant.amazon.com> <CH0PR11MB5739266C7EE710B6FB0B8AE99FFA9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739266C7EE710B6FB0B8AE99FFA9@CH0PR11MB5739.namprd11.prod.outlook.com>
Date: Wed, 27 Apr 2022 10:43:16 -0400
Message-ID: <1c6f01d85a45$21b84f80$6528ee80$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQMuRBb3498nUlRS8F9HsF3VDOunhAHb7ODiAduo4v0Bi83VIwG/ynJDAgIDspGqD9T7wA==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/jG0agZedwd0hnPo-HZHq9e89gMI>
Subject: Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2022 14:43:55 -0000

In both of those cases (S/MIME Encryption certificate and firmware signature
verification), there is a relying party to verify signatures on certificates
and payload and its policy can dictate the verification logic.

AND, OR or k of n, all should be part of relying party decision.

-----Original Message-----
From: Spasm [mailto:spasm-bounces@ietf.org] On Behalf Of Mike Ounsworth
Sent: Wednesday, April 27, 2022 9:50 AM
To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org>; Michael
Richardson <mcr+ietf@sandelman.ca>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic

Panos,

> The only way to avoid a flag day is to negotiate

Careful with this thinking; there are things in the world besides than TLS
and IKE; How does one negotiate with an S/MIME encryption cert that you find
in a directory, or a signed firmware binary that you're trying to verify in
a bootloader?

---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Kampanakis, Panos
Sent: April 23, 2022 8:48 PM
To: Michael Richardson <mcr+ietf@sandelman.ca>; LAMPS <spasm@ietf.org>
Subject: [EXTERNAL] Re: [lamps] PQ-composite OR or K-of-N logic

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.

______________________________________________________________________
Hi Michael,

Both OR or AND are not backwards compatible. The new OID (regardless of OR
or AND logic) will not be understood by verifiers that have not been
upgraded. Not to mention that verifiers that don't understand composite will
not want to see the extra data which could slow down their communications.

The only way to avoid a flag day is to negotiate; if the verifier
understands the composite signature give it to it, otherwise just give the
classical.







-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Saturday, April 23, 2022 1:06 PM
To: LAMPS <spasm@ietf.org>
Subject: RE: [EXTERNAL][lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N
logic

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you can confirm the sender and know
the content is safe.



Serge Mister <Serge.Mister=40entrust.com@dmarc.ietf.org> wrote:
    > As I mentioned on the call, I'm not fully convinced that deciding
which
    > signatures a relying party must verify is entirely a decision for the
    > relying party.  When an entity obtains a certificate from a CA,
    > signatures verifiable with the certificate are attributed to the
entity
    > named in the certificate.  The certificate holder then wouldn't want a
    > weak key bound to their identity.  If a composite key can be used in
    > "OR" mode, the key is weakened when any of the algorithms is weakened.

Yeah, but we need this OR mode to operationally be able to deploy.

Yes, it true it could be subject to a bid-down attack against the weaker
algorithm.  But, this is where the verify policy does matter.  Bid-down
attacks only work when both parties have open policies.
Until there is there is a clear attack, there isn't a weak algorithm.
But, when an attack becomes known, verifies have to change their policies.

Without the OR mechanism, we wind up with a flag day where all signers and
all verifiers have to upgrade within a renewal/CRL-signing epoch.  That's
just not practical.


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -=
IPv6 IoT consulting =-



_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!
FJ-Y8qCqXTj2!eYg4o3sJSa0JPjal6u8JoCpp2muoZIeEzWZeCQaNvTwTHqd82T6AICxzCjuYwLt
YmEgXZ_fMnGE9BVUKmthW_R3LWu9mQtK4jdLRO-DmyA$
Any email and files/attachments transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not copy,
distribute or disclose of the information it contains. Please notify Entrust
immediately and delete the message from your system.

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email