Re: [lamps] Can ML-DSA be used in CMS?
Wai Choi <wchoi@us.ibm.com> Tue, 13 February 2024 17:40 UTC
Return-Path: <wchoi@us.ibm.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93174C15199C; Tue, 13 Feb 2024 09:40:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ibm.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l5NpS8glQ_j3; Tue, 13 Feb 2024 09:40:30 -0800 (PST)
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5921C151520; Tue, 13 Feb 2024 09:40:30 -0800 (PST)
Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 41DGqGES018644; Tue, 13 Feb 2024 17:40:27 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=pp1; bh=CjjUlHNNZQBz23IIPIBYJ1r11xns7B5xbB6JXhv+wRU=; b=G+Jl0+tsigrGGAk8mDnVOzVMm1ziA4gz0c8TR+2E4xyx2yQ0gi2GLz2rWtNOwj32i/wB DmPh+FRst/302R2hihK4xqNfV4j0ByJRujmBnX31or4sz5imdyc3jEFcicVzk08Y/OpB MMtCGmUtzhpXK/fHDT9hDDcasVmJ3HLnkwncOCagEl7QqRK3CnTHS55464MvhAt/srVp 55IgHamcv/CDb6kPPW90yUcOD4J0/JrmVbLvrRUUsOuEi/DbzPtpiL/hL04i5JZfr5V+ xHlrgoiYUFL+W5tFHcskwpciYaKj/itH7mKZxHh/F/dnBKPKYMZnrNU1+kUnYRyF+D7G 5A==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2100.outbound.protection.outlook.com [104.47.70.100]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3w8caqh83d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 13 Feb 2024 17:40:26 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KxmFEom4yBzGpMiUW813e3iC7Ffs5ptYuSFvseZ9eV+/JIo0aKIFR5K1HXcfXDjE/9R9239YPilh8nsy7ndckDs+U7V0NxwPXEcMGw0oPOyVyFmZkfp34xU9/f3twNeMm0JeYC8DA84UwsKNhR0NZpeWQe2WDZeOs6Hbra0Bu4hbI7npEQFI+NySS167tUWW8otcqX4w6hYkOfPlL3G1iVS6tq9Sani5jvK1/hSqfeQZ+Uyt+jVTmSHwU9qLMK5a9CF9+r7TdHgDXs0xhulrpYM5rQEUON/BXUKbv948PJc/emW8/AQTcuGD4tsyahnjdXjQu3TjXmwGqSxvza1JSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CjjUlHNNZQBz23IIPIBYJ1r11xns7B5xbB6JXhv+wRU=; b=I0sobmDItxFYte1DR7iS6X+CvhPzWzssbKLoe+VASgQOEGW6n20tT7/KzvrEz2/XXxacRvS1Sfw50wXGk/IcxOJ6Kp8CNLODQlJuiJga+9oT9cTJurxQtlLU4XlPUFFvL3u2j+ZY0W+8hya/uiEB8e81UxUxSMGIrlojCWsw/LeLAr2mkB8TTTBURB2BNZbXumJ55CPXYCogngSb3A1EOhSrnp84ZsYvX0/eDnoLSso4HTzYEe0kO8u8F+j9aBtsRWtXtaJIpIzuUf2EW77WVseoYH3XjH+4VFM5wOYSvJ6IxEjt2IEbvn8/f+cOIIeQVVrZcJnbHurxqYd+FkH33Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=us.ibm.com; dmarc=pass action=none header.from=us.ibm.com; dkim=pass header.d=us.ibm.com; arc=none
Received: from MW3PR15MB4043.namprd15.prod.outlook.com (2603:10b6:303:48::24) by IA1PR15MB5920.namprd15.prod.outlook.com (2603:10b6:208:3fc::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7270.27; Tue, 13 Feb 2024 17:40:24 +0000
Received: from MW3PR15MB4043.namprd15.prod.outlook.com ([fe80::9214:66bf:f315:5187]) by MW3PR15MB4043.namprd15.prod.outlook.com ([fe80::9214:66bf:f315:5187%7]) with mapi id 15.20.7270.036; Tue, 13 Feb 2024 17:40:23 +0000
From: Wai Choi <wchoi@us.ibm.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>, "draft-ietf-lamps-dilithium-certificates@ietf.org" <draft-ietf-lamps-dilithium-certificates@ietf.org>
CC: 'LAMPS' <spasm@ietf.org>
Thread-Topic: [lamps] Can ML-DSA be used in CMS?
Thread-Index: AQHaXoG68KY5fu6IF0OWYmZRA1GO/rEISxLAgAApnICAAAf2IA==
Date: Tue, 13 Feb 2024 17:40:23 +0000
Message-ID: <MW3PR15MB40438805497E74A0B492960F814F2@MW3PR15MB4043.namprd15.prod.outlook.com>
References: <CH0PR11MB5739AF8408E1669FB9EF912A9F4F2@CH0PR11MB5739.namprd11.prod.outlook.com> <MW3PR15MB404385AF5F6D6F86A030A200814F2@MW3PR15MB4043.namprd15.prod.outlook.com> <CH0PR11MB57397A403786F929D27312B69F4F2@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57397A403786F929D27312B69F4F2@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW3PR15MB4043:EE_|IA1PR15MB5920:EE_
x-ms-office365-filtering-correlation-id: 7b9f8c2b-15ba-4a26-2354-08dc2cbadb9c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xuCOqPQJRzI+zzUjJYbaKJbbJuMjPZ6p2inzUW2k5nuKx4hb6kkl5pALd7lYeeLRwS2j4hAqPHYyn0rhO0vz+aTqm0TpDvnnLHxBeNogrmL/LIkSK+e+4tdNhYbGKNITO0TlPsUnHqQftTbIIKWjymy5NxrBQ3CN9ZHEYuPI82fsEs2Qr+2T4LunNhwGAHO/83fpUj4aDuHVCWrG9hffTus5V49WUqusRm84U3qBuWtY6bU5vj6HhQmoXOjF1I4P3zC0r13XLZG9sd/l0Ssm6o+3HzY708vFseXXltdy4RT97Rd4IVXuxyxvrSINgfofZKYNmRz9c2fyn7X3v5Ud7r1Yhy5pD11GgtUgTfCZ/LuFbBF4rtE9nDzkH5M57aA7fs9B6qD92paZvY3uiNzc1nPyMgsNbudkGkDILRBYocs5dEZo76/GAK9qWUEpog84mS0HtjYot7VJ/oN88ajnIB8d2mtpYnc6teIMBKwg+qTN1ij7AzU4ACCsr1iB6930564BC0nToR1NybGGiuEXeVxVlOHPC4CappIozUZ0OGAofWbOpxPCyjw27KZOdlM6p5OntFg6hmrfnOchfAH7fVagCNfDSkvCLuOU7Q2S2tA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR15MB4043.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(396003)(136003)(366004)(376002)(346002)(230922051799003)(230273577357003)(451199024)(1800799012)(186009)(64100799003)(52536014)(66946007)(6506007)(41300700001)(966005)(7696005)(9686003)(53546011)(478600001)(55016003)(2906002)(66476007)(4326008)(5660300002)(8676002)(66556008)(8936002)(66446008)(64756008)(76116006)(86362001)(38100700002)(166002)(26005)(83380400001)(122000001)(110136005)(316002)(38070700009)(33656002)(71200400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: yNxGTBQbfd8YS2VGGhsRXQwXom4ydda8rV6r6exISAqhQgLKZkeKqMT7d3gYYdyA6SSf5plBOuBT+ra/ykhjwmwi6RvD4hXb5TgL5I7fzWQAm4FhrHXYkAtSSi367l57qdEPChM8CvdgellnVxrZHol/Woy48qDhNDF16ivbbcnE0dRFSts5rFVLfCOpHlT875goXTyLxSRVmmwOpySPgHGTvLwd1Abj3TAxxQUEp0pFOePIr77pk0rS6qaI48pPIU8KILtx0CTC4xhmJ6x5bo4emczZrXMJWtGrKwAyxBUf24yqmbbE6aoZM5azYj4MylTgjXRIs1ClkATGdDLEK/xhP6qiAcKuRRH0DvU2ilZi9c6knzPuWEQjwCGIlU+7MtuI2W0GH6dewH3/yq2eByRv1rP62wSxLkpasr6R/w3sgpzrEAmMN1htfdUD/k11zDTrQzAo8UMwbiJbmGpaX/RlTWvM8C4dv73uklYjJWxC/ZcpSrFASuirY8giH65lSf5os6e34qOsfVB0Sbwf/mzGPJqy/XSPisBtilnG0RIuOXRIHcsHNN/4zpu6BzT3MpiaZl5/ZXVC82zg159WgWIwI07/Xm0VOMh0TFFyXAGlnWosPIYwJ3v00SpAEe+b2BrWdLyfMUheV5rMTViC1x9jmFH308u/JnBL1Nnb2Wf1zA1sJju347xXVhuKPytLQNd/w2oBodUq2529+CMcmjttD0Oc7kwNDwf0oPbnM1yMqdKSXNkWcBR7VsYTmRfZpP0NDwXDLLtbE3Z4PAOh4vY3u+n4UUaKRnY3stECxfI0tXWRqULvfbH30LzRRbHUXTLLZS1tj+eBwh5p53r99vy2oNs9Ynlkl5a7ji8VDw8cbWmiv50NSPwzzyEWO2rRiuKyyW9BF2q5frNQV9eNB6PPza9Xaho3FOgnrPSx+t7vaC+m76wEmhNFrXbnrndBVHhsCYO+gw8esVM6fGZVrvgyROD6HnhH7dxS3PX5OjVwTdvRjX0k+WbP9B+NoBos7FAQVuqLi8E3oSasVwVpkNXxdg3CUJage2EBwbvvEXEBXk2xoRyoylFnpQfxcPfBF0r3TclN8is9JveiLAEc1+p6o0JltfZG97xh8zPSvtN7lL3gT4HhD4tTCNrQYafPrbdNVt1iTDNmeFXcuBpqOmCTVGofX+UQieGpfzClJTNgDbkVciC7GgMsf2C3/KDtLUzKak5Gu3b2g0PvwNEfxsRMfq/sqHMRw+IG3/6ygCHGxNCwrFEY3FW+Cb5wg/y680bfEWSp5uWEyUfX1wqqmOBljZwBsi8AZhL7UE3qIEMMd0JbIhi7MhnGyaH0CqoUVtiJ2C6hSz2oXDUrR1pAg91FiIoF4yfAgfS3LLidOxwoZoP4u+TGJ/pINHQe7bD4kpu6NSwP2QCDUNK9UXCLv73/EpXWs/3qva/84yn/NmVzKVdGmwnveJfoFmJYji+H3YNuzVzUXg/A19VDnuNfgi23sF6R4KmBRlJoW8U/9yFjLOvAaiK198GTV7XCoJIxiU062NFi92D1YrRqAvClbajbyETu+lOjhIh8UV31vi8=
Content-Type: multipart/alternative; boundary="_000_MW3PR15MB40438805497E74A0B492960F814F2MW3PR15MB4043namp_"
X-OriginatorOrg: us.ibm.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW3PR15MB4043.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7b9f8c2b-15ba-4a26-2354-08dc2cbadb9c
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Feb 2024 17:40:23.9285 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fcf67057-50c9-4ad4-98f3-ffca64add9e9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BPOE7ikNB7YfNqsrG4b3y4opN5D3p8gKGOA9OgyRiJm6CEPGMPwpXQi+6IVzhbz9C/JQZt/wfO9HkfLkUi2hyw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR15MB5920
X-Proofpoint-GUID: cvGfAnlVwjGmmMLN4FO4gx7fKURyxz7p
X-Proofpoint-ORIG-GUID: cvGfAnlVwjGmmMLN4FO4gx7fKURyxz7p
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-13_10,2024-02-12_03,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxscore=0 spamscore=0 clxscore=1015 malwarescore=0 impostorscore=0 adultscore=0 phishscore=0 suspectscore=0 lowpriorityscore=0 priorityscore=1501 mlxlogscore=815 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2402130139
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/rQyXGuQ4_2cVLRlLaB3f2wPf3jg>
Subject: Re: [lamps] Can ML-DSA be used in CMS?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 17:40:34 -0000
Mike, Thanks for the pointer to Kyber. My first question is: Can a certificate with PQ signature algorithm contains a non PQ public key, for example, signature is ML-DSA, but public key is X25519. Seems your answer is for self-signed certificate, right? For the second question, I don't quite understand the example Root:LMS, ICA: Dilithium, EE: ECDSA. Are LMS, Dilithium, ECDSA referring to the signature algorithms on the Root, ICA, EE certificates respectively? If so, that implies the ICA has ECC key to create the ECDSA signature? In other words, this example illustrates ICA has low value since it does not use quantum safe key, and we can't tell whether EE has low value since we don't know what public key is on the certificate. Wai Choi From: Mike Ounsworth <Mike.Ounsworth@entrust.com> Sent: Tuesday, February 13, 2024 11:23 AM To: Wai Choi <wchoi@us.ibm.com>; draft-ietf-lamps-dilithium-certificates@ietf.org Cc: 'LAMPS' <spasm@ietf.org> Subject: [EXTERNAL] RE: [lamps] Can ML-DSA be used in CMS? Hi Wai Choi, We do already have a draft for Kyber in CMS. Please see: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-kyber/ (it is very out-of-date; we are working on a massive update and will have it published before 119). To your other questions: > 1. Although it makes sense to have PQ algorithms on both Signature Algorithm and Public key Algorithm, is it a MUST requirement? I think the approach that we are taking with the new PQC algorithms is to use the same OID for both the Public Key Algorithm, and for the Signature Algorithm. This approach worked will for Ed25519, E448, x25519, x448, and it avoids cross-protocol attacks where a single key can be used for multiple different cryptographic schemes. Was that your question? > 2. Does the whole chain of certificates need to use PQ algorithms? My personal opinion is that this is out-of-scope for IETF. I believe that IETF should specify the technical wire formats, and issue such as whether you are allowed to mix-and-match algorithms up a single certificate chain (and which algorithms are allowed to be mixed, and whether certificate lifetime comes into play, etc) are policy issues and thus outside the scope of IETF to specify. As an example, I could imagine PKI scenarios where the PKI as a whole has high value, but individual end entity keys have low value. For example smartcards serving as low-value gift cards for a restaurant chain, or a backend TLS deployment where TLS Client and Server certs renew every 7 days. In those scenarios, I think it could be totally reasonable to deploy a PKI as: Root: LMS, ICA: Dilithium, EE: ECDSA. So I don't think that the IETF should make any opinion here. --- Mike Ounsworth From: Wai Choi <wchoi@us.ibm.com<mailto:wchoi@us.ibm.com>> Sent: Tuesday, February 13, 2024 8:10 AM To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>; draft-ietf-lamps-dilithium-certificates@ietf.org<mailto:draft-ietf-lamps-dilithium-certificates@ietf.org> Cc: 'LAMPS' <spasm@ietf.org<mailto:spasm@ietf.org>> Subject: [EXTERNAL] RE: [lamps] Can ML-DSA be used in CMS? Do we need a draft to address how to use Kyber in X.509 certificate? While having a certificate used for signing is common, one used for email encryption is not rare. Wonder why all the discussion focuses on signing only... Other basic questions on PQ certificates: 1. Although it makes sense to have PQ algorithms on both Signature Algorithm and Public key Algorithm, is it a MUST requirement? 2. Does the whole chain of certificates need to use PQ algorithms? Wai Choi From: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>> Sent: Tuesday, February 13, 2024 8:37 AM To: draft-ietf-lamps-dilithium-certificates@ietf.org<mailto:draft-ietf-lamps-dilithium-certificates@ietf.org> Cc: 'LAMPS' <spasm@ietf.org<mailto:spasm@ietf.org>> Subject: [lamps] Can ML-DSA be used in CMS? The answer obviously is Yes, but draft-ietf-lamps-dilithium-certificates does not actually say this. I was reading a draft ICAO ePassport document yesterday that correctly points out that IETF has a draft for how to use ML-DSA into X.509 certificates, but no draft for how to use ML-DSA in CMS. Authors of draft-ietf-lamps-dilithium-certificates, if you add a section "Signed-data Conventions" modelled after RFC8419, then I think that saves us from needing a whole second ML-DSA draft. --- Mike Ounsworth Software Security Architect, Entrust
- [lamps] Can ML-DSA be used in CMS? Mike Ounsworth
- Re: [lamps] Can ML-DSA be used in CMS? Wai Choi
- Re: [lamps] Can ML-DSA be used in CMS? Mike Ounsworth
- Re: [lamps] Can ML-DSA be used in CMS? Wai Choi
- Re: [lamps] Can ML-DSA be used in CMS? Mike Ounsworth
- Re: [lamps] Can ML-DSA be used in CMS? Sean Turner
- Re: [lamps] Can ML-DSA be used in CMS? Wai Choi
- Re: [lamps] Can ML-DSA be used in CMS? Kampanakis, Panos
- Re: [lamps] Can ML-DSA be used in CMS? Mike Ounsworth
- [lamps] SLH-DSA in CMS/X.509 Daniel Van Geest
- Re: [lamps] [EXTERNAL] SLH-DSA in CMS/X.509 Mike Ounsworth
- Re: [lamps] [EXTERNAL] SLH-DSA in CMS/X.509 Ira McDonald
- Re: [lamps] [EXTERNAL] SLH-DSA in CMS/X.509 Kousidis, Stavros
- Re: [lamps] SLH-DSA in CMS/X.509 Kampanakis, Panos
- Re: [lamps] Can ML-DSA be used in CMS? Michael Prorock