Re: [lamps] Proposed addition of hash-based signature algorithms for certificates to the LAMPS charter

Hi Adam,

long time no see... are you still on this mailing list ? Are you 
planning to contribute to the working group ? Anyhow, to the technical 
matter...

I do not understand your position here. The draft is just about defining 
the OIDs, the RFC for the Hash-based signatures is defined elsewhere and 
I think is progressing in its definition and use (e.g., 
draft-mcgrew-hash-sigs-13, ietf-lamps-cms-hash-sig, etc.), therefore I 
do not think that these objections are relevant for the document at hand.

Can you please provide more /*targeted notes about this particular 
document ?*/

Cheers,
Max

P.S.: For the point you are raising about stateful schemes are mostly 
true - they are more difficult to handle and we will need to modify 
interfaces and APIs (e.g. PKCS#11) to add the possibility to 
transfer/update the private key status, however this is something we 
shall prepare to do since many QR algorithms tend to be stateful, IMHO. 
In this sense, stateful schemes are (most probably) going to be relevant 
in many environments. Maybe not in browsers, but, as I always try to 
remind people, browsers != Internet and TLS != PKI (therefore, it might 
not be relevant to you, but they might be relevant in many other 
environments - e.g., Cable Industry, Wireless, etc.). Just my 2 cents...

On 11/8/18 3:42 PM, Adam Langley wrote:
> On Tue, Nov 6, 2018 at 7:51 PM Russ Housley <housley@vigilsec.com 
> <mailto:housley@vigilsec.com>> wrote:
>
>     The SECDISPATCH WG met on Tuesday afternoon, and they made this
>     recommendation:
>
>     >  draft-vangeest-x509-hash-sigs-01 -- re-charter LAMPS WG to
>     accept this draft
>
>     Three questions:
>
>     1) Do you support the addition of this work to the LAMPS charter?
>
>
> No:
>
> The signature schemes in the draft are stateful and sudden-death: the 
> penalty for mishandling the state is huge. This contrasts with every 
> signature scheme ever (I believe) deployed and thus with every current 
> process. For example, reconstituting an HSM from smartcards would be a 
> fatal error with such a scheme.
>
> These schemes hedge against a valid risk, but at the cost of 
> introducing a much larger one.
>
> The contexts in which stateful & sudden-death signatures are plausible 
> are so specific and controlled that standisation in X.509 would be 
> immaterial to them—they are not multi-lateral enough that whether 
> something has an RFC or not matters. On the other hand, standisation 
> implicitly hints that the thing being standardised is somewhat 
> reasonable. So, on balance, I don't think the integration of stateful 
> schemes into formats and protocols is a suitable subject for the IETF.
>
> AGL
> -- 
> Adam Langley agl@imperialviolet.org <mailto:agl@imperialviolet.org> 
> https://www.imperialviolet.org
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
-- 
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo

Re: [lamps] Proposed addition of hash-based signature algorithms for certificates to the LAMPS charter

Attachment: oaaojflffonhlalp.png

Attachment: smime.p7s