Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic
Santosh Chokhani <santosh.chokhani@gmail.com> Wed, 27 April 2022 14:43 UTC
Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F23B4C14F746 for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 07:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ady9TFWqtxey for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 07:43:51 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FAD6C23BE8C for <spasm@ietf.org>; Wed, 27 Apr 2022 07:43:21 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id t11so1247839qto.11 for <spasm@ietf.org>; Wed, 27 Apr 2022 07:43:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=cmFogTiA6a4+f65nL1CdJRvsqq7G3GPJBKxDW39HZT8=; b=A5i9oR1kD4f+iZPhcS14xOYHipXz9U5EquLj/F4zq8fhaBNy6czBveoA9LQpfCTbjU nu536rbXDlVpel5LmYHZlKtGHpMNrSZpVj/oLDlbSC1Bc/QBqlZSPmIlb1cdKWYjYCkV +vqfphX44D9OushlCfpAPQx51EkXHO8iUEhUlAVVu4KXayBBhUH6AIjemxVqynEZ1GGD p2+GeefSA46xdZF5n2nK8nFtVVODfLWuwpLRvmFNCx5n9XvxXzTHrhikrlQssy8skJE1 8LCmeHe9SgEkKg/DMzZ7axZeWN+sldKWBffvfGiwkC9EDuJOuB2LS5krUAo7OW6rduxR bFlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=cmFogTiA6a4+f65nL1CdJRvsqq7G3GPJBKxDW39HZT8=; b=h0h+NeJ4MJA445WuEcWgJZk1xlbpg3sgOxPfbjywOMFUwzJlyfKwJMeGVRFD9RYZHB CKNq10qtyrZCTdADpyVi7IwisGE469II3wyroVvxMYrBmLH17m+It3Ct7OELypRua1nT Q4tKbf3NlUklH6QjmhH4EMthfOu0w4QC3RMZgxc6IidlL8C4eiGvo6HWprGUtplcJjDL 4dWEiRKSzoeINvfEhqepFQpMnFy5jGV6RUmUcCZAynw4cyi1RKjUK1Ei+zjoMzbe3p4d Ig7FMAujs5OpUadkOgQOce4BcoKmVDhUKSQAb1TQQJssgrA622jKE/cbHyXj9TkJprzK 4wcQ==
X-Gm-Message-State: AOAM531LTCmPVlZuTG8eYQetygvI2+5ETZcW4uVhbZmVTbSbGINIsTKX iPC2EhjnhozLy3mxb96sulbYy8F7jn/yZw==
X-Google-Smtp-Source: ABdhPJx1wsmFKg/VpmjYA3npNNYe7u7tvaJkoVBR5vfe4yEMGhLWzZvycbdLueCF4K5w7hJrZOLx2g==
X-Received: by 2002:ac8:5753:0:b0:2e1:ed23:1991 with SMTP id 19-20020ac85753000000b002e1ed231991mr19401336qtx.615.1651070599805; Wed, 27 Apr 2022 07:43:19 -0700 (PDT)
Received: from SantoshBrain (pool-96-255-230-78.washdc.fios.verizon.net. [96.255.230.78]) by smtp.gmail.com with ESMTPSA id x9-20020a05622a000900b002f37b3537eesm3000612qtw.1.2022.04.27.07.43.18 for <spasm@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Apr 2022 07:43:18 -0700 (PDT)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'LAMPS' <spasm@ietf.org>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <29E39FB1-D8E5-40E9-AFC0-5A8EBBB705DF@vigilsec.com> <DM6PR11MB38025338B4FA3AED0AA99E3196F79@DM6PR11MB3802.namprd11.prod.outlook.com> <1312783.1650733573@dooku> <423419504256427b83c889f9b5c607b7@EX13D01ANC003.ant.amazon.com> <CH0PR11MB5739266C7EE710B6FB0B8AE99FFA9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739266C7EE710B6FB0B8AE99FFA9@CH0PR11MB5739.namprd11.prod.outlook.com>
Date: Wed, 27 Apr 2022 10:43:16 -0400
Message-ID: <1c6f01d85a45$21b84f80$6528ee80$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQMuRBb3498nUlRS8F9HsF3VDOunhAHb7ODiAduo4v0Bi83VIwG/ynJDAgIDspGqD9T7wA==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/jG0agZedwd0hnPo-HZHq9e89gMI>
Subject: Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2022 14:43:55 -0000
In both of those cases (S/MIME Encryption certificate and firmware signature verification), there is a relying party to verify signatures on certificates and payload and its policy can dictate the verification logic. AND, OR or k of n, all should be part of relying party decision. -----Original Message----- From: Spasm [mailto:spasm-bounces@ietf.org] On Behalf Of Mike Ounsworth Sent: Wednesday, April 27, 2022 9:50 AM To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org>; Michael Richardson <mcr+ietf@sandelman.ca>; LAMPS <spasm@ietf.org> Subject: Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic Panos, > The only way to avoid a flag day is to negotiate Careful with this thinking; there are things in the world besides than TLS and IKE; How does one negotiate with an S/MIME encryption cert that you find in a directory, or a signed firmware binary that you're trying to verify in a bootloader? --- Mike Ounsworth -----Original Message----- From: Spasm <spasm-bounces@ietf.org> On Behalf Of Kampanakis, Panos Sent: April 23, 2022 8:48 PM To: Michael Richardson <mcr+ietf@sandelman.ca>; LAMPS <spasm@ietf.org> Subject: [EXTERNAL] Re: [lamps] PQ-composite OR or K-of-N logic WARNING: This email originated outside of Entrust. DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. ______________________________________________________________________ Hi Michael, Both OR or AND are not backwards compatible. The new OID (regardless of OR or AND logic) will not be understood by verifiers that have not been upgraded. Not to mention that verifiers that don't understand composite will not want to see the extra data which could slow down their communications. The only way to avoid a flag day is to negotiate; if the verifier understands the composite signature give it to it, otherwise just give the classical. -----Original Message----- From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael Richardson Sent: Saturday, April 23, 2022 1:06 PM To: LAMPS <spasm@ietf.org> Subject: RE: [EXTERNAL][lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Serge Mister <Serge.Mister=40entrust.com@dmarc.ietf.org> wrote: > As I mentioned on the call, I'm not fully convinced that deciding which > signatures a relying party must verify is entirely a decision for the > relying party. When an entity obtains a certificate from a CA, > signatures verifiable with the certificate are attributed to the entity > named in the certificate. The certificate holder then wouldn't want a > weak key bound to their identity. If a composite key can be used in > "OR" mode, the key is weakened when any of the algorithms is weakened. Yeah, but we need this OR mode to operationally be able to deploy. Yes, it true it could be subject to a bid-down attack against the weaker algorithm. But, this is where the verify policy does matter. Bid-down attacks only work when both parties have open policies. Until there is there is a clear attack, there isn't a weak algorithm. But, when an attack becomes known, verifies have to change their policies. Without the OR mechanism, we wind up with a flag day where all signers and all verifiers have to upgrade within a renewal/CRL-signing epoch. That's just not practical. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- _______________________________________________ Spasm mailing list Spasm@ietf.org https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!! FJ-Y8qCqXTj2!eYg4o3sJSa0JPjal6u8JoCpp2muoZIeEzWZeCQaNvTwTHqd82T6AICxzCjuYwLt YmEgXZ_fMnGE9BVUKmthW_R3LWu9mQtK4jdLRO-DmyA$ Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm
- [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Serge Mister
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Serge Mister
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Michael Richardson
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Santosh Chokhani
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Carl Wallace
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Richardson
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-o… Santosh Chokhani
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Michael Jenkins
- Re: [lamps] PQ-composite OR or K-of-N logic Klaußner, Jan
- Re: [lamps] PQ-composite OR or K-of-N logic Tadahiko Ito
- Re: [lamps] PQ-composite OR or K-of-N logic Kampanakis, Panos
- Re: [lamps] PQ-composite OR or K-of-N logic Russ Housley