[lamps] Hybrid pkix isn't needed

Watson Ladd <watsonbladd@gmail.com> Sun, 29 January 2023 23:43 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 915A0C14F74B for <spasm@ietfa.amsl.com>; Sun, 29 Jan 2023 15:43:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fosi391Tto-Q for <spasm@ietfa.amsl.com>; Sun, 29 Jan 2023 15:43:28 -0800 (PST)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 279A7C14F744 for <spasm@ietf.org>; Sun, 29 Jan 2023 15:43:28 -0800 (PST)
Received: by mail-oi1-x22d.google.com with SMTP id d188so8759956oia.3 for <spasm@ietf.org>; Sun, 29 Jan 2023 15:43:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Z30BIai9s84ePChXhn3100VGG4cRbsnXcQf3xakQL5I=; b=BsyDbmcajdYS0/mLu93vd4c1rZZsP5Tts0adc7xZY8zG08RAdsQMSBfRxBLccZr3SS 8vDdBG+ER52pZKuIdH8DkWvKQ3lpD6TlH00dD+fgte6KHNE0h4qTZyqwl2bWyXPxjebM ZfOxw5NfKMw6UHN5A1S6rRmKcKam7f+XJBk8lmSHBQul3LybJEA53ZVTYKqcsOQZJ77O LzNXT7Oj5OWGDljmwZb/1IE5ZgBotOqf8yw215pnua+yRAim5LxN00oi97XaghbljZIC FwC6r6ZqtsNW2BdcJGs0P2sMcIrV3YfHCEDAB3v7QFyFx1pNOXbQzUaLndgFaBnN0jWV 1VUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Z30BIai9s84ePChXhn3100VGG4cRbsnXcQf3xakQL5I=; b=GWe+2e5odk35ibgc8x7IbRcfrEwguTgFNP2SFhhs2AV4r+N0V2lltNwpLNzzfaHrpl FdvvcgUDMTTeh4IY6e1acpYpKOTeLgdfLYuZaMMDVgZm0aXdq05rs2iECWhkcRE1eI+E Q6U4oJkP4juk10Ya1nZvkV4D9OIP4vTPuBI1UOfP0gyX2Qd93vEPAYA3xtZCq06A8jv8 6WmKsHm9s4mIqQUdWbOzOxxcg6lp1WW3GPR2W7dDXUFFWmlNB1hlwJ0dcvCP8f1MzvLm NKn6mSIrCxYGHdggtSZu3/eEAhz57G8/V9mDSmVEnKeQznePpevTUvSm/d/lrQC+sC1D Rd9A==
X-Gm-Message-State: AFqh2koL/LgZpee91pyGk7aSqnGIudAFC6UrCobk54N3kITod6G1aS6X jflFh2RneUlXBUiUOXLjOxW31+F7U7YEnNADxbTWlkYM
X-Google-Smtp-Source: AMrXdXugaP3tlLirJg77s3iH3GjoM0e2Iw8rFjjtJkwhSv4grlXyAU2IYVZxHbmpOdt+EWU5rVsFEWemm4XtZx/SPDo=
X-Received: by 2002:a05:6808:2342:b0:364:7e4f:5f9e with SMTP id ef2-20020a056808234200b003647e4f5f9emr3184883oib.125.1675035807051; Sun, 29 Jan 2023 15:43:27 -0800 (PST)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 29 Jan 2023 15:43:15 -0800
Message-ID: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com>
To: spasm@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/qFwkPNiSY5Q3WSMCBitf10ukcdU>
Subject: [lamps] Hybrid pkix isn't needed
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jan 2023 23:43:28 -0000

Dear all,

I don't think linking certs or special provisions for hybrid
encryption or authentication are a good idea.  A hybrid encryption
scheme should be an encryption scheme with a public and private key,
just like any other key you can put in the PKIX.

If for backwards compatibility you want to have multiple kinds of keys
just like we do with RSA and ECDSA keys in TLS, just do that! Don't
add complexities to try to link them or force people to find both keys
at once for an operation. We know that the transition model with
multiple unrelated certs works, and we have experience and fixed bugs
that resulted. Let's use that instead of have new bugs to fix.

The other thing is hybrid auth is worthless. Authentication breaks are
not retroactive: a break of an algorithm at a time in the future
doesn't threaten the security properties of authentication in the
past. That's different from encryption, where you do potentially want
to ensure a new post-quantum algorithm is no worse than a classical
one, but the case for it is fairly weak.

Sincerely,
Watson Ladd