IETF Logo Mail Archive

Re: [lamps] Dilithium OIDs per security level?

David Benjamin <davidben@chromium.org> Sun, 20 November 2022 17:58 UTC

Return-Path: <davidben@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00DFC14CE23 for <spasm@ietfa.amsl.com>; Sun, 20 Nov 2022 09:58:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.247
X-Spam-Level:
X-Spam-Status: No, score=-14.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EqmS_JwMSNEp for <spasm@ietfa.amsl.com>; Sun, 20 Nov 2022 09:58:41 -0800 (PST)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95EA9C14CE20 for <spasm@ietf.org>; Sun, 20 Nov 2022 09:58:41 -0800 (PST)
Received: by mail-yb1-xb2b.google.com with SMTP id i131so11226111ybc.9 for <spasm@ietf.org>; Sun, 20 Nov 2022 09:58:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3wnWKTJ1IJo/1kIyZBEQWhaEOQDx0TaHG+F2xXkYTxs=; b=iWnA0YDouWRYFLHA3NhP7RWsx4fc3KnHEiHpVJdrEiaPJGDe78vJ+9bnpynFcJRu0c NHWfZQ0IVe667FJMxhUJ7yaxF1IJKxMuVBD4ISFniFl0UrDGuhOaxu9L9itcz1aRFW0c halbxpJYsPbL/5k92QxtKiMaPCl/N29LB278s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3wnWKTJ1IJo/1kIyZBEQWhaEOQDx0TaHG+F2xXkYTxs=; b=Z9XI4piquio54XdrTketmLdMcP5U7HR1E/k3FPLGfxhvlm2F52a8WnoFEvOCa781h1 BHaMaJdm+kuYYe4ZgiQzakZoFxRa3lwZnW1lUQEONh3GO3FJpOygIbgrIDJSWGiaHRXK TslxprrzN92AAsiNwck93+gmmcOsQrhFaYS23NYuozW4w2tvaGwgGOUhBEjonGvpzmEJ VTb2OFjk7S6hhH7/GEMNrpUvdL5I+jvcI8FhUPnTT/SsqmpV0tgptNp7EDjh7cP3OmZA O6uFN2SsLRD5qgNIwt2+XOr69g1ql7YciS3SZ6sSqoufqOpxumhjCoCd6xAszgjW6ijL naiw==
X-Gm-Message-State: ANoB5pkc8JeQhZ8Bby5g3RjONspmAG9xFUQ5W8/rrN/+YYEuixEgSZxz 8bryQ5DdP5WUd5r5RkhYjMq3QaLAucmvL/Vem61Y
X-Google-Smtp-Source: AA0mqf4Kr8BHp0LZxJNYSa6HkJuvMVxUrAL1FLlppdWbiv457IO4mwnH8RKttAzwG8m+guiHkcZZrXEwFxGsShv4Ljc=
X-Received: by 2002:a25:d284:0:b0:6dd:f51d:b6c with SMTP id j126-20020a25d284000000b006ddf51d0b6cmr5482725ybg.279.1668967120478; Sun, 20 Nov 2022 09:58:40 -0800 (PST)
MIME-Version: 1.0
References: <CH0PR11MB5739EE2A5A75D8BCE1EC2F209F089@CH0PR11MB5739.namprd11.prod.outlook.com> <CAF8qwaAkOWayE4w0g1CRN15ezveZ8Fkb+-9eYYaq=Se+Aw8dWg@mail.gmail.com> <A63143AF-73FF-4178-A131-289CC20DB7AD@redhoundsoftware.com>
In-Reply-To: <A63143AF-73FF-4178-A131-289CC20DB7AD@redhoundsoftware.com>
From: David Benjamin <davidben@chromium.org>
Date: Sun, 20 Nov 2022 12:58:23 -0500
Message-ID: <CAF8qwaAxcCWEWkAViRK_-mzLy57c5o_QLY39udQpdLLZtj4Heg@mail.gmail.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Cc: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005c1a3305edeab009"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/kKzBvaITL0pZo8PVV24r19OLS2M>
Subject: Re: [lamps] Dilithium OIDs per security level?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Nov 2022 17:58:45 -0000

On Sun, Nov 20, 2022 at 12:39 PM Carl Wallace <carl@redhoundsoftware.com>
wrote:

> Inline…
>
>
>
> *From: *Spasm <spasm-bounces@ietf.org> on behalf of David Benjamin <
> davidben@chromium.org>
> *Date: *Sunday, November 20, 2022 at 12:21 PM
> *To: *Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
> *Cc: *LAMPS <spasm@ietf.org>
> *Subject: *Re: [lamps] Dilithium OIDs per security level?
>
>
>
> Not one of the draft authors, but they need to be distinct OIDs. The
> two-level construction with id-ecPublicKey was a mistake, as was RSA
> defining one OID to cover a whole family of related algorithms.
> Dilithium2, Dilithium3, and Dilithium5 should be thought of as entirely
> distinct algorithms. We have plenty of implementation experience with the
> compounding costs of getting this wrong. Some additional points that should
> be resolved:
>
>
>
> 1. Please drop the unnecessary OCTET STRING wrapper inside the BIT STRING.
> There is no requirement that the BIT STRING carry an ASN.1 type, indeed
> none of the EC types (id-ecPublicKey or the new curves) do this and
> instead, correctly, just place the byte representation directly in the BIT
> STRING.
>
>
>
> [CW] This was discussed during LAMPS. The OCTET STRING definition is
> negated by text shortly below it (the tag and length of the OCTET STRING
> are not actually encoded into the BIT STRING). I’d like to see the
> definition dropped in favor of prose that describes encoding the key
> directly into the BIT STRING. During the hackathon at IETF 115, we
> initially saw varied handling of the OCTET STRING in both in
> SubjectPublicKeyInfo (including inclusion of the spurious tag in my
> implementation) and OneAsymmetricKey. The EC spec appears to have
> established the practice of defining a structure then negating it by
> mapping the value onto a BIT STRING (see 2.2 of RFC5480). I see no reason
> to continue that here.
>

Oh, whoops! I was looking at draft-massimo-lamps-pq-sig-certificates-00
instead of draft-ietf-lamps-dilithium-certificates-00. Thanks! That is
indeed kinda oddly phrased but would have the desired effect.


> 2. There should not be an OPTIONAL copy of the public key
> in DilithiumPrivateKey. Either it's part of the structure, or it isn't,
> with no optionality. We've already learned this lesson with ECPrivateKey;
> the various optional fields have had a compounding negative effect up the
> stack. This is also the wrong layer to define this... whatever
> specification we have for Dilithium, be it NIST's actual document or a
> fixup document in CFRG, should come with a byte string representation that
> we just drop into PKCS#8 unmodified and unadorned.
>
>
>
> I still need to fully evaluate this draft for whether it would be an
> acceptable starting point for the TLS and X.509 implementations that I'm
> involved with, but getting any of these wrong would be considered
> disqualifying in my eyes.
>
>
>
> On Sat, Nov 19, 2022 at 6:27 PM Mike Ounsworth <Mike.Ounsworth=
> 40entrust.com@dmarc.ietf.org> wrote:
>
> Hi Jake, Panos, Sean, Bas,
>
>
>
> I could use some clarification on which OIDs you’re planning to register
> cause I’m trying to cross-reference them when defining all the composite
> pairs.
>
>
>
> The current version of draft-ietf-lamps-dilithium-certificates-00 has
>
>
>
> id-dilithiumTBD which you seem to be using for the signature algorithm.
>
>
>
>
>
>    id-dilithiumTBD OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
>
>             country(16) us(840) organization(1) gov(101) csor(3)
>
>             nistAlgorithm(4) sigAlgs(3) TBD }
>
>
>
>
>
> And also pk-dilithiumTBD which you seem to be using for the public key.
>
>
>
>   PublicKeys PUBLIC-KEY ::= {
>
>     -- This expands PublicKeys from RFC 5912
>
>     pk-dilithiumTBD |
>
>     pk-TBD-TBD,
>
>     ...
>
>   }
>
>
>
>
>
> Next question: are you going to register those per level; ie
> id-dilithium2, id-dilithium3, id-dilithium5?
>
>
>
> ---
> Mike Ounsworth
> Software Security Architect, Entrust
>
>
>
> *Any email and files/attachments transmitted with it are confidential and
> are intended solely for the use of the individual or entity to whom they
> are addressed. If this message has been sent to you in error, you must not
> copy, distribute or disclose of the information it contains. Please notify
> Entrust immediately and delete the message from your system.*
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>
> _______________________________________________ Spasm mailing list
> Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email