Re: [lamps] New Version Notification for draft-massimo-lamps-pq-sig-certificates-00.txt
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 11 July 2022 00:34 UTC
Return-Path: <prvs=5191b01997=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAE32C14F748; Sun, 10 Jul 2022 17:34:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6cdf3Pot8mU7; Sun, 10 Jul 2022 17:34:06 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10792C14F72B; Sun, 10 Jul 2022 17:34:02 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX2.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 26B0XtHd035640 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sun, 10 Jul 2022 20:33:55 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=0GTfhkVONTe4f2olFQf7R+A+X45uaD3oxYVdBtg5YuQ5I/IwwkrMAIXdGhAV1ssJ7B9EGrp6L8uekGI+R0M+eJJZ+bOk8/1caZygYcc5ioIJEWH2DTZMoNe7TcOSKCrrgzuLdrF2e7w72LkeHyGKyVLwcqXudAXJQ2WOA0msEa+KU5Pbz/V2PVU9x6nxz45Taq8MUluEsxeFOBq920TuTDW2pygPm96r/NRcIeCz6+qUSeomktMR8XDq/wrScHQY0+3kPLSFEHR5iPOjizqCeRcnPreXyskg874Px2eg1doicj4I9RxPVPlu+PSBiiD29MRFYKdF/fWzlZ3o5Z/IQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+/Ty5quzUYrxJP1vyHHwQh2qxsQvS9yFZphFjIWQ7sI=; b=nsz9MlohoFe23vdrpNc+Xr8vUWQlS9+dB3zceXvkw3xPpZg7fH0d4tB2PY7GNrJmafUwsIynQVA1s7uO9AnwxUaqNfQsBIC+Cgj9N5LO+WYiQugzX804ioS5YVwGtKGQ9EU4Zf1SeWHZRooVBkOxxvJsqkOOsjIHWXcHvGvbvxDKE0m94RKQP1bCwzUYMkiE2YouHJfIMFSHDpaWsP7rf1Z8d7IgLgr66S2DAl7kbvNhVIQZWWU6J7HWeS/29HLHY2/3i/1zixhgNFvkKldJOb4gLLpweCjYP3VkmF7LMqZiKOCyVAZ0vn8TUfWhGt2IGHxDzsfUML8w+otfFzhxkw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: John Gray <John.Gray=40entrust.com@dmarc.ietf.org>
CC: "Massimo, Jake" <jakemas=40amazon.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] New Version Notification for draft-massimo-lamps-pq-sig-certificates-00.txt
Thread-Index: AQHYkvm/+Voqsss3lECP5NDeNCPk4q10cagAgAPW+SCAAAzvgA==
Date: Mon, 11 Jul 2022 00:32:53 +0000
Message-ID: <00AF3B52-729F-4E14-B69D-83E4D4B35863@ll.mit.edu>
References: <DM6PR11MB2585CB30B5A19BDB39400B95EA879@DM6PR11MB2585.namprd11.prod.outlook.com>
In-Reply-To: <DM6PR11MB2585CB30B5A19BDB39400B95EA879@DM6PR11MB2585.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 44db8ea4-dd63-4ad9-6b15-08da62d4e4bb
x-ms-traffictypediagnostic: BN0P110MB0965:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sCoH+4lpQVDkUys3t5AGLkdQJWWhuHWyEcw651+UKOnX95PTx8btvZDskpJT7uTW6tWiE+55CzU/IMi9W7Z7CxiaGGQEYj9cvsGwZNs0MyIa0DXUPi2H3VKrgtHcuJSmzcMecg5Q+dKq2aGqooe26+ZjD9aNxtZclOVRTW9Foa8iwyES4b0Gs8dbcTUJQJe1mg9vHS19QgBqWsPWaZG/pYyd0DItINgKRoVuIx+sE1aSctO3n9k81rfWPWcKqZ4Ap2nF4y0xV8Fkjbj6iDA/gnJ0tTcZ4fKYwW68KVRupxUNKWpuyEljese3BlEqp/cS/4IM4KWb96Qj1H3qbGv41fNWbPKfsXBWYBm6EDjPcmlZp8nUFsgzZqWRH/N45cWRdTo0Np8nlODVleAsXAtETQHFSCtWL7pYWLhhwSIpmRpWtuR65u9hvyijJ9ddaLIZkaonSH7aJaLExcW+2ByXDp3OsIXwHGQSqmZ2G+qBf5cwXPc+I0qqaJScn28+cNuM6UirQYM+cxuHH3PjZpGEen/BlaPeHBgCtW/d3xlvEu1GJLKTzymRo/lWZfnbZLDaAfDFbIVw/PlAZD6cC8qbf3imqBbPvrSpSp+5jglXfz4AY099f4/R42msWkdvyetkTWKQA2PYOpqqf+DaWXQZyZlHxTQ9neVquaJRMCcq/8rmgGeT0JTppNFLD/Iz7IVtiCZ0Dn/TMfRX54hkgJEA1eNSKSRYwk0ZyDpDheNSYatSQUmYEbZQZ1I1CZBWT3AvgFaGEAHVBZBdZ87c8yAyPz0q/qvQXHgyFA+9blTXnsR5O6Y+jlqcoQ81xC8OCyTUm7NEgJCNvXofOLfb+w0h61Gkp/G6DHkdH4qF7KPyg+Y=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(75432002)(66446008)(8676002)(66556008)(66476007)(64756008)(4326008)(33656002)(71200400001)(15650500001)(8936002)(5660300002)(2906002)(498600001)(6512007)(86362001)(6486002)(6506007)(53546011)(83380400001)(66946007)(186003)(66574015)(122000001)(38070700005)(54906003)(99936003)(76116006)(966005)(2616005)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: MpJtpIJEzjHVQr7pIEB4fOXFxQ0ED0BoHW1UGn9R/VsvUQIwzKD7XsDgqm2F/4rCu72oPNf62PAY7W+dJYzXNJSyymc6wNLINyJQKXRIlyoRoH6mb+JlqzszDx+iIcC59YBrdL4QyFn+7bXFOtXyxg5HtqOeFeMNWzIoOlII9U4NIJHPKcVH5BhKRTKjcYP/njUKW038PO/QRDXPJJxCQNz/GHOZNb3/Z44gkd1gpF3Ug156DQAUEKcaLF46u8pXldZDuPVKEBhMvUljYwtnhK5Wp8Uun+WnO2PUGlFH70lQ/HNzzzs7nNdM/oMgYPlgmNPWRHpA6+tjdK9tM78OmrpYhYA0fevrcgI9Gg8fRg8oftSiKLtO/rrK+V0DSbAiHmszUWON0qvxsyW15C7t7sNEpt9IMTbxk8lfce5U2sTe6FxjUk8xQXMo64XAaIeaYnvpOUjfrEH7+XtO7IhjkvyrvxLlDS96rv1gG1u3wbRpnlv9e6i9YBb2yJvNg1bddR1NpDAXW743al3pPw8aqj08UX6GnwF+oVmFZ/MpAP1aed+EzgxONlfC7zrMRDNLpabNo/dVEhg23HnU6dAH5xC4XQD+3VMpO6CnnpnEA8/3p8cOICSilBMk8HcNsLfVIbv72zP13X3KEIGIf++bQlDVaZ++GbkXvavyTUVy+BQrTrWcsaeaYNcyM/EZOnVtPlkeEL8HsJMNMo16a6yJ3pkcwy+Ly5K4eseLwHmzWYmxVktxmH6/UWBrpIXCZwKtZaNRTIXaRLKaSyLMRBxAYiJjmxzIe8fKaCqxG7hL8q5haQPeb2x/74R/46HdkuztMiE/bQ065KjJocoAywarU1Ue05Os60RP1NV9SIp2S5YltLGuwE7pBjDSkzrsfYJBZvXrKRVcgshqGCjmME+L8KjBdqsvMmxz5baMrwpD4LgwqTz7ILvwgVyea5aP9wECdLt9dRb81H4qdYboGY4RRlBbaovoTRWoy+/m9pMkAuoPtHxssS30xgtcP9xE7XOddz+MJpoHZP/SEa6BkkjFhNKtKmyY2ITEkdhC1fw7ltuvpojJLmXPUFuYVpulv1yErofHhvf7rbmZ9xVjDKTQzttPxmmvdbtvck5nAzT4YDjuDgupZz0s94adAqy/1e1W0RMhknm6icFy0PqdoblFyin6rtMKwZ+XkWA+QWIRYpuF6P9RWa1y2AF7Cok/bvEcbLaky4Gf1RDa+1KiJ5g0+ozNGZQGqYed9SV0V+VIuNCbO095oSAjH5swknNJsKfTyuffpyhzMkuzzd9Jks4c1J1tnEcHaqfRTKeSIKkV0et8kr71zUBnWzV4BKCeQizyJyFLgigxT79OKACiL9rkzUhnhScoq2fW4kVcZwzQyTw=
Content-Type: multipart/signed; boundary="Apple-Mail-6CB3B29E-B03B-44D7-AB2A-107ADB2E5DB4"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 44db8ea4-dd63-4ad9-6b15-08da62d4e4bb
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2022 00:32:53.5954 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB0965
X-Proofpoint-GUID: Qojnwd9LtQ_g_U__bZAgLySirt7YMurd
X-Proofpoint-ORIG-GUID: Qojnwd9LtQ_g_U__bZAgLySirt7YMurd
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.883 definitions=2022-07-10_18:2022-07-08, 2022-07-10 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 spamscore=0 adultscore=0 bulkscore=0 malwarescore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207100112
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/qethf3PEzqFwI-ZIlA717xwP7fY>
Subject: Re: [lamps] New Version Notification for draft-massimo-lamps-pq-sig-certificates-00.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2022 00:34:10 -0000
I am strongly against wrapping keys into BIT STRING. This is a relict from the past, originally caused by insufficient experience, and a relict that proved itself useless. Stick with OCTET STRING. Regards, Uri > On Jul 10, 2022, at 20:19, John Gray <John.Gray=40entrust.com@dmarc.ietf.org> wrote: > > Thank you for posting this draft. It looks very well formed, almost as if you were just waiting for an announcement to be made... 😊 > > I am glad to see there are no algorithm parameters. We have already been doing experiments with Dilithium certificates based on the round 3 candidates, and had to pick our own OIDs (due to lack of standard) and chose NOT to use parameters because we didn't know if there would be any. So it looks like there won't be a lot of changes required to our early non-standard prototype implementations. 😊 > > That being said, I have a couple of comments: > > In regards to wrapping the public key in an OCTET_STRING: > > The Dilithium public key MUST be encoded using the ASN.1 type > DilithiumPublicKey: > > DilithiumPublicKey ::= OCTET STRING > > In testing interop with other implementations (openSSL with open quantum safe for example), I noticed they DO NOT wrap the DilithiumPublicKey in an OCTET_STRING. We did that in our initial implementation, but after going through RFC 5280 again, I don't see a specific need to first wrap the DilithiumKey (or in fact any of the other Post Quantum Signature types such as SPHINCS+ or Falcon) in an OCTET_STRING as that OCTET_STRING then gets wrapped into a BIT STRING as per the SubjectPublicKeyInfo. You actually save 4 bytes without the wrapping.... In any case our current implementation can handle both ways, but it was something I came across and thought I would ask if there was a specific reason why it needed to be wrapped in an OCTET_STRING? > > This question underlies why we definitely need a standard... 😊 > > > In regards to the Private Key format, I notice you have placed an option to contain the PublicKey inside the private key. > > DilithiumPrivateKey ::= SEQUENCE { > rho BIT STRING, - nonce/seed > K BIT STRING, - key/seed > tr BIT STRING, - PRF bytes (CRH in spec.) > s1 BIT STRING, - vector l > s2 BIT STRING, - vector k > t0 BIT STRING, - encoded vector > PublicKey IMPLICIT DilithiumPublicKey OPTIONAL > } > > Is this to align with other private key formats like RFC 5915 (Elliptic Curve Private Key)? With the larger size of these Dilithium keys (and other Post Quantum Keys), I think there would be less appetite for including the public key inside the private key. If an implementation depends on the public key being there, and it is not there, then I guess it would fail, possibly causing interop issues (I have already come across this with the openSSL - libOQS library as they concatenated the public key in the private key, and our implementation did not). So I guess with it being optional are you saying implementations MUST accept the key in either format (with the public key included or with no public key included)? > > > In section 5, you have this sentence: > > Dilithium public keys are > optionally distributed in the publicKey field of the PrivateKeyInfo > structure. > > I think you mean: > > Dilithium public keys are > optionally distributed in the publicKey field of the DilithiumPrivateKey > structure. > > > The PrivateKeyInfo structure from RFC 5208 does not contain a public key structure: > > PrivateKeyInfo ::= SEQUENCE { > version Version, > privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, > privateKey PrivateKey, > attributes [0] IMPLICIT Attributes OPTIONAL } > > > Thanks again for putting this draft out so quickly after the NIST announcement! > > Cheers, > > John Gray > Entrust > > -----Original Message----- > From: Spasm <spasm-bounces@ietf.org> On Behalf Of Massimo, Jake > Sent: Friday, July 8, 2022 4:08 PM > To: spasm@ietf.org > Subject: [EXTERNAL] [lamps] FW: New Version Notification for draft-massimo-lamps-pq-sig-certificates-00.txt > > WARNING: This email originated outside of Entrust. > DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. > > ______________________________________________________________________ > Hi! > > I'd like to introduce the 00 draft of the I-D we discussed @ IETF 113 (and we will discuss again @ IETF 114) that will document algorithm identifiers and ASN.1 encoding format for NIST's PQC signature algorithms in X.509. As discussed by Sean Turner in the introduction of the I-D draft-turner-lamps-nist-pqc-kem-certificates, we are splitting up the KEMs from the signature algorithms into separate I-Ds. This is the signature algorithm part. We focus on single PQC algorithm rather than hybrid constructions that are covered in other drafts. We are planning to use the algorithm identifiers assigned by NIST. The draft discusses the signature algorithm Dilithium. > > If there are any feedback or comments to the draft in advance to the meeting, feel free to contact me. > > Cheers, > Jake > > > On 08/07/2022, 11:37, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote: > > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > A new version of I-D, draft-massimo-lamps-pq-sig-certificates-00.txt > has been successfully submitted by Jake Massimo and posted to the > IETF repository. > > Name: draft-massimo-lamps-pq-sig-certificates > Revision: 00 > Title: Algorithms and Identifiers for Post-Quantum Algorithms > Document date: 2022-07-08 > Group: Individual Submission > Pages: 12 > URL: https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-massimo-lamps-pq-sig-certificates-00.txt__;!!FJ-Y8qCqXTj2!em5Q_A_k1PMQ0W4omwWUauCCeb4EMshOz6mYYWzWzuQkN7W39uZc2n6qACvqm-IoJWr8lOb4JA7PFy5EbwwaOZJYPgTgSdndyJ0lmSg$ > Status: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/__;!!FJ-Y8qCqXTj2!em5Q_A_k1PMQ0W4omwWUauCCeb4EMshOz6mYYWzWzuQkN7W39uZc2n6qACvqm-IoJWr8lOb4JA7PFy5EbwwaOZJYPgTgSdnd2kZG978$ > Html: https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-massimo-lamps-pq-sig-certificates-00.html__;!!FJ-Y8qCqXTj2!em5Q_A_k1PMQ0W4omwWUauCCeb4EMshOz6mYYWzWzuQkN7W39uZc2n6qACvqm-IoJWr8lOb4JA7PFy5EbwwaOZJYPgTgSdnd7ZiJyGA$ > Htmlized: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-massimo-lamps-pq-sig-certificates__;!!FJ-Y8qCqXTj2!em5Q_A_k1PMQ0W4omwWUauCCeb4EMshOz6mYYWzWzuQkN7W39uZc2n6qACvqm-IoJWr8lOb4JA7PFy5EbwwaOZJYPgTgSdnd7k9nM9I$ > > > Abstract: > Digital signatures are used within X.509 certificates, Certificate > Revocation Lists (CRLs), and to sign messages. This document > describes the conventions for using Dilithium quantum-resistant > signatures in Internet X.509 certificates and certifiate revocation > lists. The conventions for the associated post-quantum signatures, > subject public keys, and private key are also described. > > > > > The IETF Secretariat > > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!em5Q_A_k1PMQ0W4omwWUauCCeb4EMshOz6mYYWzWzuQkN7W39uZc2n6qACvqm-IoJWr8lOb4JA7PFy5EbwwaOZJYPgTgSdnd2gf0i_M$ > Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] FW: New Version Notification for draft-ma… Massimo, Jake
- Re: [lamps] FW: New Version Notification for draf… Russ Housley
- Re: [lamps] FW: New Version Notification for draf… Ilari Liusvaara
- Re: [lamps] New Version Notification for draft-ma… John Gray
- Re: [lamps] New Version Notification for draft-ma… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] New Version Notification for draft-ma… John Gray
- Re: [lamps] New Version Notification for draft-ma… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] New Version Notification for draft-ma… Russ Housley
- Re: [lamps] New Version Notification for draft-ma… Corey Bonnell
- Re: [lamps] New Version Notification for draft-ma… Massimo, Jake
- Re: [lamps] [EXTERNAL] Re: New Version Notificati… John Gray
- Re: [lamps] [EXTERNAL] Re: New Version Notificati… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] New Version Notification for draft-ma… Russ Housley