Re: [lamps] Hybrid pkix isn't needed

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 31 January 2023 09:59 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4647C1522AD for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 01:59:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cqr4ciROyD86 for <spasm@ietfa.amsl.com>; Tue, 31 Jan 2023 01:59:17 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4b.welho.com [83.102.41.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58BB8C151717 for <spasm@ietf.org>; Tue, 31 Jan 2023 01:58:36 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 334B267C1D for <spasm@ietf.org>; Tue, 31 Jan 2023 11:58:33 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id puI6O2mrj95F for <spasm@ietf.org>; Tue, 31 Jan 2023 11:58:32 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id E029372 for <spasm@ietf.org>; Tue, 31 Jan 2023 11:58:31 +0200 (EET)
Date: Tue, 31 Jan 2023 11:58:31 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "spasm@ietf.org" <spasm@ietf.org>
Message-ID: <Y9jmR66krU5TL7cH@LK-Perkele-VII2.locald>
References: <CACsn0c=uPvp_hmakpfPff8WkYh1q9NhjfTJYs7iFu_czL2yAyA@mail.gmail.com> <DS7PR12MB5983E36300151BFC47E5CB34AAD39@DS7PR12MB5983.namprd12.prod.outlook.com> <CH0PR11MB57392033396F181A9853FAD79FD39@CH0PR11MB5739.namprd11.prod.outlook.com> <CACsn0c=n5TLZRywpRCQhpyoxX65OfA9p6e5iz9jKnnEVSX4zmQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CACsn0c=n5TLZRywpRCQhpyoxX65OfA9p6e5iz9jKnnEVSX4zmQ@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/rNY2j1G8IHG_EdOP3dyfHruGf9Y>
Subject: Re: [lamps] Hybrid pkix isn't needed
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2023 09:59:18 -0000

On Mon, Jan 30, 2023 at 10:49:32AM -0800, Watson Ladd wrote:
> On Mon, Jan 30, 2023 at 10:30 AM Mike Ounsworth
> <Mike.Ounsworth@entrust.com> wrote:
> <snip>
> 
> > For TLS or IKEv2, yes, signatures are less urgent than encryption,
> > but in general you know that you’re fighting a losing battle here,
> > right? Especially since the NSA in their CNSA 2.0 have marked
> > code-signing as the most urgent use case to migrate to PQC. 
> 
> In that case what's the point of hybridization: you need very high
> security due to lack of updates, you're not signing very much, so XMSS
> or another hashed based scheme is the obvious choice. 

CNSA 2.0 specifies LMS or XMSS. And from what I can tell, this part
is already active, so it is deployable right now (unlike say the
asymmetric encrpytion parts).


> > Another example is PDF signing; if I can factor the signer’s
> > private key so I can modify and re-sign the PDF then what’s
> > stopping me from also back-dating the timestamps?

This is only possible after total breakdown of signature algorithm.
And bad enough classical break would do it too.


> > Yet another is S/MIME email certificates: you need PQ CAs before
> > you can issue PQ encryption certs.

Wrong. Trying the two together is a major security issue. The time-
scales are just very different:

- Not a problem: Attacker breaking the CA keys three years from now
  (when the S/MIME certificate has expired).

- *CATASTROPHIC* (as in impossible to recover from) problem: Attacker
  breaking the encryption key 20 years from now when the information
  is still sensitive.


> Why? There's nothing wrong with mixed algorithms in a chain. The
> bigger issue here is root program policies about what can be signed.

Yeah, for example CABForum S/MIME baseline requirements only allow RSA
and ECIES for encryption.

That would be a major problem once Kyber is standard.



-Ilari