Re: [lamps] Dilithium OIDs per security level?
David Benjamin <davidben@chromium.org> Sun, 20 November 2022 17:58 UTC
Return-Path: <davidben@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00DFC14CE23 for <spasm@ietfa.amsl.com>; Sun, 20 Nov 2022 09:58:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.247
X-Spam-Level:
X-Spam-Status: No, score=-14.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EqmS_JwMSNEp for <spasm@ietfa.amsl.com>; Sun, 20 Nov 2022 09:58:41 -0800 (PST)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95EA9C14CE20 for <spasm@ietf.org>; Sun, 20 Nov 2022 09:58:41 -0800 (PST)
Received: by mail-yb1-xb2b.google.com with SMTP id i131so11226111ybc.9 for <spasm@ietf.org>; Sun, 20 Nov 2022 09:58:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3wnWKTJ1IJo/1kIyZBEQWhaEOQDx0TaHG+F2xXkYTxs=; b=iWnA0YDouWRYFLHA3NhP7RWsx4fc3KnHEiHpVJdrEiaPJGDe78vJ+9bnpynFcJRu0c NHWfZQ0IVe667FJMxhUJ7yaxF1IJKxMuVBD4ISFniFl0UrDGuhOaxu9L9itcz1aRFW0c halbxpJYsPbL/5k92QxtKiMaPCl/N29LB278s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3wnWKTJ1IJo/1kIyZBEQWhaEOQDx0TaHG+F2xXkYTxs=; b=Z9XI4piquio54XdrTketmLdMcP5U7HR1E/k3FPLGfxhvlm2F52a8WnoFEvOCa781h1 BHaMaJdm+kuYYe4ZgiQzakZoFxRa3lwZnW1lUQEONh3GO3FJpOygIbgrIDJSWGiaHRXK TslxprrzN92AAsiNwck93+gmmcOsQrhFaYS23NYuozW4w2tvaGwgGOUhBEjonGvpzmEJ VTb2OFjk7S6hhH7/GEMNrpUvdL5I+jvcI8FhUPnTT/SsqmpV0tgptNp7EDjh7cP3OmZA O6uFN2SsLRD5qgNIwt2+XOr69g1ql7YciS3SZ6sSqoufqOpxumhjCoCd6xAszgjW6ijL naiw==
X-Gm-Message-State: ANoB5pkc8JeQhZ8Bby5g3RjONspmAG9xFUQ5W8/rrN/+YYEuixEgSZxz 8bryQ5DdP5WUd5r5RkhYjMq3QaLAucmvL/Vem61Y
X-Google-Smtp-Source: AA0mqf4Kr8BHp0LZxJNYSa6HkJuvMVxUrAL1FLlppdWbiv457IO4mwnH8RKttAzwG8m+guiHkcZZrXEwFxGsShv4Ljc=
X-Received: by 2002:a25:d284:0:b0:6dd:f51d:b6c with SMTP id j126-20020a25d284000000b006ddf51d0b6cmr5482725ybg.279.1668967120478; Sun, 20 Nov 2022 09:58:40 -0800 (PST)
MIME-Version: 1.0
References: <CH0PR11MB5739EE2A5A75D8BCE1EC2F209F089@CH0PR11MB5739.namprd11.prod.outlook.com> <CAF8qwaAkOWayE4w0g1CRN15ezveZ8Fkb+-9eYYaq=Se+Aw8dWg@mail.gmail.com> <A63143AF-73FF-4178-A131-289CC20DB7AD@redhoundsoftware.com>
In-Reply-To: <A63143AF-73FF-4178-A131-289CC20DB7AD@redhoundsoftware.com>
From: David Benjamin <davidben@chromium.org>
Date: Sun, 20 Nov 2022 12:58:23 -0500
Message-ID: <CAF8qwaAxcCWEWkAViRK_-mzLy57c5o_QLY39udQpdLLZtj4Heg@mail.gmail.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Cc: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005c1a3305edeab009"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/kKzBvaITL0pZo8PVV24r19OLS2M>
Subject: Re: [lamps] Dilithium OIDs per security level?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Nov 2022 17:58:45 -0000
On Sun, Nov 20, 2022 at 12:39 PM Carl Wallace <carl@redhoundsoftware.com> wrote: > Inline… > > > > *From: *Spasm <spasm-bounces@ietf.org> on behalf of David Benjamin < > davidben@chromium.org> > *Date: *Sunday, November 20, 2022 at 12:21 PM > *To: *Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> > *Cc: *LAMPS <spasm@ietf.org> > *Subject: *Re: [lamps] Dilithium OIDs per security level? > > > > Not one of the draft authors, but they need to be distinct OIDs. The > two-level construction with id-ecPublicKey was a mistake, as was RSA > defining one OID to cover a whole family of related algorithms. > Dilithium2, Dilithium3, and Dilithium5 should be thought of as entirely > distinct algorithms. We have plenty of implementation experience with the > compounding costs of getting this wrong. Some additional points that should > be resolved: > > > > 1. Please drop the unnecessary OCTET STRING wrapper inside the BIT STRING. > There is no requirement that the BIT STRING carry an ASN.1 type, indeed > none of the EC types (id-ecPublicKey or the new curves) do this and > instead, correctly, just place the byte representation directly in the BIT > STRING. > > > > [CW] This was discussed during LAMPS. The OCTET STRING definition is > negated by text shortly below it (the tag and length of the OCTET STRING > are not actually encoded into the BIT STRING). I’d like to see the > definition dropped in favor of prose that describes encoding the key > directly into the BIT STRING. During the hackathon at IETF 115, we > initially saw varied handling of the OCTET STRING in both in > SubjectPublicKeyInfo (including inclusion of the spurious tag in my > implementation) and OneAsymmetricKey. The EC spec appears to have > established the practice of defining a structure then negating it by > mapping the value onto a BIT STRING (see 2.2 of RFC5480). I see no reason > to continue that here. > Oh, whoops! I was looking at draft-massimo-lamps-pq-sig-certificates-00 instead of draft-ietf-lamps-dilithium-certificates-00. Thanks! That is indeed kinda oddly phrased but would have the desired effect. > 2. There should not be an OPTIONAL copy of the public key > in DilithiumPrivateKey. Either it's part of the structure, or it isn't, > with no optionality. We've already learned this lesson with ECPrivateKey; > the various optional fields have had a compounding negative effect up the > stack. This is also the wrong layer to define this... whatever > specification we have for Dilithium, be it NIST's actual document or a > fixup document in CFRG, should come with a byte string representation that > we just drop into PKCS#8 unmodified and unadorned. > > > > I still need to fully evaluate this draft for whether it would be an > acceptable starting point for the TLS and X.509 implementations that I'm > involved with, but getting any of these wrong would be considered > disqualifying in my eyes. > > > > On Sat, Nov 19, 2022 at 6:27 PM Mike Ounsworth <Mike.Ounsworth= > 40entrust.com@dmarc.ietf.org> wrote: > > Hi Jake, Panos, Sean, Bas, > > > > I could use some clarification on which OIDs you’re planning to register > cause I’m trying to cross-reference them when defining all the composite > pairs. > > > > The current version of draft-ietf-lamps-dilithium-certificates-00 has > > > > id-dilithiumTBD which you seem to be using for the signature algorithm. > > > > > > id-dilithiumTBD OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) > > country(16) us(840) organization(1) gov(101) csor(3) > > nistAlgorithm(4) sigAlgs(3) TBD } > > > > > > And also pk-dilithiumTBD which you seem to be using for the public key. > > > > PublicKeys PUBLIC-KEY ::= { > > -- This expands PublicKeys from RFC 5912 > > pk-dilithiumTBD | > > pk-TBD-TBD, > > ... > > } > > > > > > Next question: are you going to register those per level; ie > id-dilithium2, id-dilithium3, id-dilithium5? > > > > --- > Mike Ounsworth > Software Security Architect, Entrust > > > > *Any email and files/attachments transmitted with it are confidential and > are intended solely for the use of the individual or entity to whom they > are addressed. If this message has been sent to you in error, you must not > copy, distribute or disclose of the information it contains. Please notify > Entrust immediately and delete the message from your system.* > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm > > _______________________________________________ Spasm mailing list > Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] Dilithium OIDs per security level? Mike Ounsworth
- Re: [lamps] Dilithium OIDs per security level? David Benjamin
- Re: [lamps] Dilithium OIDs per security level? Carl Wallace
- Re: [lamps] Dilithium OIDs per security level? David Benjamin
- Re: [lamps] Dilithium OIDs per security level? Kampanakis, Panos
- Re: [lamps] [EXTERNAL] Re: Dilithium OIDs per sec… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Dilithium OIDs per sec… tjtncks
- Re: [lamps] [EXTERNAL] Re: Dilithium OIDs per sec… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: Dilithium OIDs per sec… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: Dilithium OIDs per sec… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Dilithium OIDs per sec… Markku-Juhani O. Saarinen
- Re: [lamps] [EXTERNAL] Re: Dilithium OIDs per sec… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Dilithium OIDs per sec… Russ Housley
- Re: [lamps] [EXTERNAL] Re: Dilithium OIDs per sec… Markku-Juhani O. Saarinen
- Re: [lamps] Dilithium OIDs per security level? Kampanakis, Panos
- Re: [lamps] Dilithium OIDs per security level? Markku-Juhani O. Saarinen
- Re: [lamps] Dilithium OIDs per security level? Michael Richardson
- Re: [lamps] Dilithium OIDs per security level? Aron Wussler
- Re: [lamps] Dilithium OIDs per security level? Markku-Juhani O. Saarinen
- Re: [lamps] Dilithium OIDs per security level? Bas Westerbaan
- Re: [lamps] Dilithium OIDs per security level? Thom Wiggers
- Re: [lamps] Dilithium OIDs per security level? Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Dilithium OIDs per security level? Markku-Juhani O. Saarinen
- Re: [lamps] Dilithium OIDs per security level? Bas Westerbaan
- Re: [lamps] Dilithium OIDs per security level? Bas Westerbaan
- Re: [lamps] Dilithium OIDs per security level? Salz, Rich
- Re: [lamps] Dilithium OIDs per security level? Kris Kwiatkowski
- Re: [lamps] Dilithium OIDs per security level? Russ Housley
- Re: [lamps] Dilithium OIDs per security level? Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Dilithium OIDs per security level? Mike Ounsworth
- Re: [lamps] Dilithium OIDs per security level? Phillip Hallam-Baker
- Re: [lamps] Dilithium OIDs per security level? Phillip Hallam-Baker
- Re: [lamps] Dilithium OIDs per security level? Thom Wiggers
- Re: [lamps] Dilithium OIDs per security level? Hubert Kario