IETF Logo Mail Archive

Re: [lamps] Proposed addition of hash-based signature algorithms for certificates to the LAMPS charter

Daniel Van Geest <Daniel.VanGeest@isara.com> Tue, 13 November 2018 18:17 UTC

Return-Path: <Daniel.VanGeest@isara.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C236E1294D0 for <spasm@ietfa.amsl.com>; Tue, 13 Nov 2018 10:17:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bL4VSG8TEbZw for <spasm@ietfa.amsl.com>; Tue, 13 Nov 2018 10:17:03 -0800 (PST)
Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 083FD128B14 for <spasm@ietf.org>; Tue, 13 Nov 2018 10:17:02 -0800 (PST)
Received: from unknown (HELO V0501WEXGPR01.isaracorp.com) ([10.5.8.20]) by ip1.isaracorp.com with ESMTP; 13 Nov 2018 18:17:02 +0000
Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Tue, 13 Nov 2018 13:16:58 -0500
Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Tue, 13 Nov 2018 13:16:58 -0500
From: Daniel Van Geest <Daniel.VanGeest@isara.com>
To: Adam Langley <agl@imperialviolet.org>, Russ Housley <housley@vigilsec.com>
CC: SPASM <spasm@ietf.org>
Thread-Topic: [lamps] Proposed addition of hash-based signature algorithms for certificates to the LAMPS charter
Thread-Index: AQHUdk0lICeW2g/VwEakcZ4bh1yW9KVGrkEAgAdfRQA=
Date: Tue, 13 Nov 2018 18:16:58 +0000
Message-ID: <87666F83-59E3-4F80-8F42-3D26A564C423@isara.com>
References: <3653FE62-CD11-47D1-A9DB-5C6FF4AD8498@vigilsec.com> <CAMfhd9WiqpH96UVTOxmeu50yw5N0ACtxk+5X3dax7tnT_+wpbQ@mail.gmail.com>
In-Reply-To: <CAMfhd9WiqpH96UVTOxmeu50yw5N0ACtxk+5X3dax7tnT_+wpbQ@mail.gmail.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.5.52]
Content-Type: multipart/alternative; boundary="_000_87666F8359E34F808F423D26A564C423isaracom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/rYHj0kM4yRJ3ULVwuh88_jgrgZo>
Subject: Re: [lamps] Proposed addition of hash-based signature algorithms for certificates to the LAMPS charter
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Nov 2018 18:17:06 -0000

Hi Adam,

You’re right that handling state needs to be done carefully and use of these signature schemes would not be appropriate in many contexts.  My presentation of this draft to LAMPS and SECDISPATCH pointed this out and gave some examples where they would and would not be appropriate.  If the WG chooses to proceed with this draft we can add more prominent/thorough text covering risks and mitigations.  Some solutions for managing state have been investigated, for example in https://eprint.iacr.org/2016/357.pdf, and should be used by signing implementations.

There are multi-lateral use cases for these signatures, a notable one being offline root CA signing.  Since these signature schemes are already well trusted, migration can begin prior to the completion of the NIST PQ Cryptography standardization, but will probably continue to be used well beyond that since they have decades of study behind them.

If we add stronger text warning of state reuse or mismanagement, the same should probably be done in draft-ietf-lamps-cms-hash-sig.  That draft is targeting code signing in CMS, but CMS also has other use cases where stateful signatures could be dangerous.

Daniel


On 2018-11-08, 3:42 PM, "Spasm on behalf of Adam Langley" <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org> on behalf of agl@imperialviolet.org<mailto:agl@imperialviolet.org>> wrote:

On Tue, Nov 6, 2018 at 7:51 PM Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
The SECDISPATCH WG met on Tuesday afternoon, and they made this recommendation:

>  draft-vangeest-x509-hash-sigs-01 -- re-charter LAMPS WG to accept this draft

Three questions:

1) Do you support the addition of this work to the LAMPS charter?

No:

The signature schemes in the draft are stateful and sudden-death: the penalty for mishandling the state is huge. This contrasts with every signature scheme ever (I believe) deployed and thus with every current process. For example, reconstituting an HSM from smartcards would be a fatal error with such a scheme.

These schemes hedge against a valid risk, but at the cost of introducing a much larger one.

The contexts in which stateful & sudden-death signatures are plausible are so specific and controlled that standisation in X.509 would be immaterial to them—they are not multi-lateral enough that whether something has an RFC or not matters. On the other hand, standisation implicitly hints that the thing being standardised is somewhat reasonable. So, on balance, I don't think the integration of stateful schemes into formats and protocols is a suitable subject for the IETF.


AGL
--
Adam Langley agl@imperialviolet.org<mailto:agl@imperialviolet.org> https://www.imperialviolet.org

v2.23.0 | Report a Bug | By Email