IETF Logo Mail Archive

Re: [lamps] PQ-composite OR or K-of-N logic

Carl Wallace <carl@redhoundsoftware.com> Fri, 29 April 2022 13:54 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1261AC15E406 for <spasm@ietfa.amsl.com>; Fri, 29 Apr 2022 06:54:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgWiFo-ohr32 for <spasm@ietfa.amsl.com>; Fri, 29 Apr 2022 06:54:33 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D568EC15E3F0 for <spasm@ietf.org>; Fri, 29 Apr 2022 06:54:33 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id e128so5944466qkd.7 for <spasm@ietf.org>; Fri, 29 Apr 2022 06:54:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=WSWYDuLfUrinZb+c3lgkA0cKWE6acKHqNKfN1ord1lU=; b=ACP5MEi6MyVoBxxzu8qcu98tCUqj/Rq8TXSpos3CS61m0GAMzE2CvR8LsDRc9gslO5 Jymc0Vnb1Bk1072WykM68rz/LkvKseq7siNb35z7qUB9sZnMCPZOt1O5JY5QQkpDytnn pMwlcb5KFF9g493WEAzYrfIXfgRHtW9DZ7CAs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=WSWYDuLfUrinZb+c3lgkA0cKWE6acKHqNKfN1ord1lU=; b=J1p8Xd2DRcVHNubQW9sjeOeQJymJxQXnzd56F9dib9O350QZU79JQlw1EVGkUWLi6c 13ajzb+f0Z28Pj5UBvnvYOxlUtxw04xIWSZ6ZT28wydU43p0LMToX+LFUyu3ZcW0OPqf oL+UzgVmi+RIsWP1kgrzO/skqozvqv/9XTXSAN4GlTa+dbx82h9dcbauLydqK/AaLe7R 52bThHcZ+AY9L0FDkBLoGxQKIouyF8mstrIPsefQIbniXlyzTEqczEkUkYXB2el4+/Rw xdcoxTfmUG+P/vtBhKEW3OhheJ0XxC03X8J4IKCOX/UTxL3UCmUFZpW6K60zokPsplOJ nc/Q==
X-Gm-Message-State: AOAM533Gq8cJlUpSNknD5P0l0ElSnp0r4M95NfSipfMaohThgZqtPQXi BUPbmVTfyZbQXEajWdCfveMFiQ==
X-Google-Smtp-Source: ABdhPJzfqYhvmXW71EHifsvJF73PgKsZNQXdvPPQYgk0B96RquT0uAEI6CLPm4h3BJGWvB9s79HxVw==
X-Received: by 2002:a05:620a:2087:b0:69f:8a92:bdf3 with SMTP id e7-20020a05620a208700b0069f8a92bdf3mr8476263qka.443.1651240472602; Fri, 29 Apr 2022 06:54:32 -0700 (PDT)
Received: from [192.168.2.16] (pool-173-66-88-168.washdc.fios.verizon.net. [173.66.88.168]) by smtp.gmail.com with ESMTPSA id ay6-20020a05620a178600b0069fb6c1566dsm995915qkb.117.2022.04.29.06.54.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 Apr 2022 06:54:31 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.60.22041000
Date: Fri, 29 Apr 2022 09:54:31 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Russ Housley <housley@vigilsec.com>, "Klaußner, Jan" <Jan.Klaussner@d-trust.net>
CC: LAMPS <spasm@ietf.org>
Message-ID: <72BEC47B-F263-4B6E-8EBC-2355AAD2626D@redhoundsoftware.com>
Thread-Topic: [lamps] PQ-composite OR or K-of-N logic
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <1312273.1650733310@dooku> <ca18a6bf6cb74756ac942fb514c82d78@d-trust.net> <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com>
In-Reply-To: <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/lXTTaDDeLlx8mABXf_CKh_Y97uc>
Subject: Re: [lamps] PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2022 13:54:38 -0000

Something like the related DSSC spec (https://datatracker.ietf.org/doc/html/rfc5698) could be useful in this scenario.

On 4/27/22, 9:43 AM, "Spasm on behalf of Russ Housley" <spasm-bounces@ietf.org on behalf of housley@vigilsec.com> wrote:

    Jan:

    A notary is often used when a signature needs to be verifiable for many decades. RFC 4998 specifies the Evidence Record Syntax (ERS), which can be used to apply additional signatures by a notary.

    Russ

    > On Apr 27, 2022, at 4:36 AM, Klaußner, Jan <Jan.Klaussner@d-trust.net> wrote:
    > 
    > Hi all,
    > 
    > First I completely agree with Michaels view on verification policies.
    > Especially in open PKIs that are not under control of one company there is a
    > need to signal how verification should be done.
    > 
    > On the question about use cases beside the PQ transition: We believe there
    > is a high probability that new algorithms are successfully attacked during
    > the next decades.
    > 
    > Therefore we want establish some agility in an PKI to more easily switch
    > algorithms without an immediate PKI rollover. In our case we are also
    > talking about use cases for document signing or long term encryption, where
    > digital signatures need to be valid for longer periods, sometimes up to 50
    > years.
    > 
    > So in case one algorithm is broken, the documents still remain secure/valid.
    > There would be an immediate need to reconfigure or update verifier/signing
    > software not to use this algorithm anymore, but there is some more time to
    > replace the algorithm in the PKI.
    > Once again, this is even more important in an open PKI.
    > 
    > The k-of-n mode here is providing this agility and also the increased
    > security of the AND mode, simply put.
    > 
    > I hope our point is now more clear to the group
    > 
    > Br
    > Jan
    >> -----Ursprüngliche Nachricht-----
    >> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Michael Richardson
    >> Gesendet: Samstag, 23. April 2022 19:02
    >> An: LAMPS <spasm@ietf.org>
    >> Betreff: Re: [lamps] PQ-composite OR or K-of-N logic
    >> 
    >> 
    >> I read through the list and the slides.  I couldn't be at the meeting on
    >> Wednesday as I was travelling.
    >> 
    >> The document starts off with:
    >> "Even after the migration period, it may be advantageous for an entity's
    >>  cryptographic identity to be composed of multiple public-key
    > algorithms."
    >> 
    >> Panos and a few others have complained that the document attempts to
    >> have signers tell verifiers what to do, and this should really a verifier
    > policy.
    >> Well, that would make a lot of sense for a CMS signature on your Mortgage,
    >> or your MUA verifying my email.
    >> 
    >> But, signers REGULARLY tell verifiers what they've done and how to verify
    >> things, and that's in the context of Certificates.  We have all these
    > policy
    >> OIDs, and CSPs, and Path Constraints, and ...  These are all signals from
    > the
    >> signer to the verifier.  The verifier can, of course, have a policy that
    > says that
    >> they ignore CSPs or Path Constraints, or...
    >> 
    >> I guess that the k-of-n part was in the slides only, as it's not in the
    > document
    >> that I could see.
    >> 
    >> I go back to the text I quoted above, and thinking about k-of-n.
    >> I'm thinking that if there are more uses for the Composite-Or and
    >> Composite-AND structures than *just* PQ transition, that the ROI on
    >> implementing them may be much higher.  And thus the likelyhood that we'll
    >> discovery and fix bugs relating to the new constructs is much higher.
    >> 
    >> I think that we can agree that the last thing we want is a widespread bug
    > in
    >> validation, at the point where we find it critical to transition.
    >> 
    >> ps: I giggled when I read ~~~ BEGIN EDNOTE 10~~~
    >> 
    >> 
    >> 
    >> 
    >> 
    >> --
    >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
    >> -= IPv6 IoT consulting =-
    >> 
    >> 
    > 
    > _______________________________________________
    > Spasm mailing list
    > Spasm@ietf.org
    > https://www.ietf.org/mailman/listinfo/spasm

    _______________________________________________
    Spasm mailing list
    Spasm@ietf.org
    https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email