IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic

Serge Mister <Serge.Mister@entrust.com> Fri, 22 April 2022 18:23 UTC

Return-Path: <Serge.Mister@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F7023A09CF; Fri, 22 Apr 2022 11:23:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bw0FSA-IC_le; Fri, 22 Apr 2022 11:23:49 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A75853A09E7; Fri, 22 Apr 2022 11:23:47 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 23M6eXft030270; Fri, 22 Apr 2022 13:23:46 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=0d6rHx1e++9sIIBjlfDR/IEfQ2G5Z+Ee50L0FVO8DYo=; b=LzNkqs90WU+ANtozokRN27FIqhkzSoB3jSD/fCNuwjAT8W4z4v5H8pLUF/vOXDWRWHxJ QsEVQq8Vm4XvC1BWRMV4ZQcL2C+Wk2MSDchtO9sHdBGr4P9VgIKizTlsPeWhHKYtsek8 OYMVtX/aJxjLY+DH8eQnNSB54N7Uc4LTuwg6FEzkIAvOzs/9wvKieK3agUC4edRxdusI iYVvbARJMKBCITMA/ls8QHJZGMfndiMMFCe35ShPMBTIB1XkW/4j3DvOVtuzj3AlrVaT Z1cvlyaRrzIfjNxSV46FdWLjo68zow5CGa4Pb06zJUk+Q4rGtV7n9VpfNKtRnWngFUoT pQ==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2172.outbound.protection.outlook.com [104.47.56.172]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3ffrsngh4s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Apr 2022 13:23:45 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZzMeFlAQ3g/NJHKGzk0HixqmPVfEYXMeV3ktUi/+dDeD6FOXYV0MJ4OurM1d8/f3rWl/atNAnwacAtCU/pj1fBbPzK8tD7QclCREzyJAz6p5WXb8xMXn3TjKmSVMSPMv0YhJANrG1eLAD3cHcMZfyC3YqmqoMBoWCorU1EgxXduNDhKMmbC98XHX0jL1mqqgC1D4+8GkCECgWMUwir5kCxKVyonKgZPrkXAH1t752k2yL0AxNBSApEGKULHCC2xk3r1KbMuCY0rkAu/qpblxEG1XlNJJye+4Zb0T0rr6f3c5NE4GTSAQp58OND0QjYxBIr5hqgySdHZA+rXIA60iWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0d6rHx1e++9sIIBjlfDR/IEfQ2G5Z+Ee50L0FVO8DYo=; b=QrjJ8ZrzbMg8cxzVkPhLuOawR6aNESgXsHurobrPOQ5VK356l7NsfOChHajuu8QmmxTusDTS01MbUL22qd9GgcGgSqf/9AIcGRctClXaM/S8SV+k8UG8HI08dLOcQesITofUSYXD4QJkJiYr+8bHBBZPXf7RHzOYCNX87LY8X1pxDTv8MZ74X90KpevPHZ4vrD+70Vm2GvMqcD9yyCG0Gclwsf8SnbCO4dxglRo8Mk2ucFwNEHs/TfIjOg5uNfT4usG/4pPw+TDUn3hT/50E1hYGJpGs/m7/tNX/M/QFW7opu5rIPcDAIUO+hkw7+DZmzRf33B03qq88wYQd0h2GaA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from DM6PR11MB3802.namprd11.prod.outlook.com (2603:10b6:5:143::30) by SA0PR11MB4591.namprd11.prod.outlook.com (2603:10b6:806:9c::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.15; Fri, 22 Apr 2022 18:23:41 +0000
Received: from DM6PR11MB3802.namprd11.prod.outlook.com ([fe80::e041:a6c2:afd0:da85]) by DM6PR11MB3802.namprd11.prod.outlook.com ([fe80::e041:a6c2:afd0:da85%7]) with mapi id 15.20.5186.015; Fri, 22 Apr 2022 18:23:41 +0000
From: Serge Mister <Serge.Mister@entrust.com>
To: Russ Housley <housley@vigilsec.com>, "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: [EXTERNAL] Re: [lamps] PQ-composite OR or K-of-N logic
Thread-Index: AdhV9Rf0dKtEp6K7TUGSt7lMX+2VvwAcqDiAAALIzoA=
Date: Fri, 22 Apr 2022 18:23:41 +0000
Message-ID: <DM6PR11MB38025338B4FA3AED0AA99E3196F79@DM6PR11MB3802.namprd11.prod.outlook.com>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <29E39FB1-D8E5-40E9-AFC0-5A8EBBB705DF@vigilsec.com>
In-Reply-To: <29E39FB1-D8E5-40E9-AFC0-5A8EBBB705DF@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e3eefb51-3697-4eb0-31a5-08da248d3a98
x-ms-traffictypediagnostic: SA0PR11MB4591:EE_
x-microsoft-antispam-prvs: <SA0PR11MB459159CA7C66A5A5B4668FA796F79@SA0PR11MB4591.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OGkWl9rswcMWrj7QlA602YVIlunDPgJpvcEvyF93jHYS+DMZTtNxnE0fBG4RmhTya1UmaRyBcFaShrX2orzxfxCKDaDRbWgmeeUPYQXG+/J4Slq7vE/qjfU730SlhMCT4kSLo8bs//dX3zhIKi2RTBkjoysX8OzSZlZK/g2rV7cWCS90O7HS2feLu/W5Z9K2CepDgjOZ8vpNQaIYUJx76SEQEQ1p5gdvHiR3nklWLT9KyXFEYqNhltCtXMLnL+4beVLhQGC/faXlcGevbUpEKwtgs5GlcxDHE3T9iwLlTCiBiwsqInXX2Qt85dRsmKeoFmLEys2VVS9LEnWfe4Z7Fpiyzxl7eCK9C7uaqgb1wA9N2wlB4mev4Ofi5ErahBHK4bN9hWg9z7eqi7LYxCA3IJE6x1u8/Efeu4JKexAondazUp6l4g0O4Pmhxu6RBGkeLDq6yomY+WPCpQgOLjViG4yaiDb2DDwXF1SZXkvFgoThq7u7H/oOzMJt2DXQKT3XuM31GFbcuCoFOl+nhXlUaF/+Xr3nE1myFlb17VpxkL3TCTr02ajyySItnq2bTYN4pY1iEn4xj0WMDrmamZTG5CamybBW/dpKed36QFR26D/MWHxgniM1qMsLpaxePyq7tZs7UYYFotgvPKjioj5GEouZPd0HJvFxY7Bgpq97sfLSHaPLZDyvZWrn/8sm8Yf3h4s9/W9pZbnBXt2pzzkXmyD4Rvmky/ytdpRs0PbrSFQC/rrPiZCjBN/IBf9cepFiRO4nDeXZwkr/n+GGUlQdEc9NAcyMuRRB76imUQ/SDHhfWHg4K9WGH5u7ecygzOL3de7fGVeyII9XN1vs7AbPog==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB3802.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(66946007)(52536014)(76116006)(71200400001)(7696005)(5660300002)(110136005)(26005)(8936002)(186003)(53546011)(33656002)(122000001)(6506007)(508600001)(86362001)(2906002)(83380400001)(66446008)(66476007)(66556008)(8676002)(4326008)(9686003)(64756008)(316002)(55016003)(966005)(38100700002)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: aTbs39oWQ+uuXYZxATfYMybCuM7WsFTvXCpNrp1r/G9/EWUcICw/Op/ZazdZE2Uvtfzwmxab5NBeigcaXPr9PlqDMb1rKJ+/jHnMewCFhbyPphjzfU+GcrOjR10+tAXBWfxs2t1xAmFTGh2ue1Lzr6S7AxI4OKJIY1KbifMhxzPOQt7RuEz0ffE4of6tnTUvSgRaKhFBtSvsR8PK+Mb8Tq+dQpXAT61rE7R3XgoY5bVvaMdma2nlcVYqwLBDPmV2MUTlNs+qLJ1ygIxsvlj9sBy8SUC3aX8hKJtqBr9qRRLpRqkOs9Dt9TEbjlWI6RPatie/0mhwqcG4xW9pKT1Aab1aoFpDmTNHT146nnS94smcy+AQN91F1q5gj67DTxdyF8O5PMUYwxjS5xSdr5QWUuE4oEOrzHOj0iGTOuX5QPk9FAWZukIzJ5KCq4+WXMbkFwW3PhVnYJ3K6OsIv/5DrsFO6+UKnV7B4POJtANXijNJGeEyvQ4+gJudvl0uxohAFmEL66WuCfRXLzawvnZXbDYXv7ed5GUNS0PRJSIw6fZB+l+GtR/O/6xEpHWuIX6et1eabysQe0j1pC/i3JwelsYBscpkdNZb+X+fNG+KpgC7XGuSkrqBuRy7iqnrocf/jSiXxcAHCJVRiIOVtE1X++a1RcfHSwktfYpMItiOlm51VbnICk7gyrnTjTfHtflg0YE5mS3Scs1m8wcy+E3xTL91Dfk+pmabHHs3+h+ME+ct0+Wtw1k91um+zo/gyfo0HQEEpbSyNYfHqgjSDj8NfDdW1R57xNhyMaW8+I4CfropztD4Df70OTf/YFU1o+nXG3xluKyELEgVo5DAmJMFAiz40d3mlm54AC4H6SPHCzZWJ9G/ycph1JodviaA8Opp/VeOpbcHckrwBcJ2AjD8RnDoNpAgKfxC7hQZB3O1VprQGLk7vqdJ1JhRu3158f3HkC4xOdUotqC3GJ67lAn1wftG383d9p369oK+apnz5lHqEaMd6MvhMg9caOhNyZseNWSIvjz6LMr6/ERDLHrtcZ5lZow7KXx+j/9dWoMRWI2yEh+PLlY6O9kvnIAu4Tm/FD23tkraIFtFXmju6rMGa+44JPe2C5Fs8K89djRdzPGnaRAlB33w01XCiHJu6KltTpz56z3vDPKqT+b/56RreDml+v4ifmgvvLzZ047zhgs48cnMSscbe6dcvhZ/Qe192cztcwvziZYGYQ/wgbryWRoMblT7lQsrNYyYxle5WBFz/rmmY8NuZtS1HolXHEH8MAI1oEavNEegLEsNQEC6BfyDfRzceT8bQH+ylC43k6oGw5i7XJs0OheifFXXKpMUhdTqhg2fqKOUcIVAoGU2jTxcWNL3x6GeI6ND8XpBQ8EvSUjncYEOaJRYrogh0q+iDudYdhew8oc3mgnXgC34lrt+eBbVyAugLaoKGN7KiOB53gDKwPmtu4JKVhUk24rsUBgnMuWqy2abwSs3p7NhOpk+eRYv4/LOjF4ZdsKRHM6T22yJNw8Wyi8kHXjZ3Uqv/Y9tfJNUwB7GXieG6ScXF5zsqyek3QGhJdOnBEzUTrm9hKmf6Djs/vdlXSUyXDyxCbRIjlihQ4J7x9TH7GOTkZbGcsHswJdq8f4/+VhwRkW1WrWhB3hh93TATiOiQkFb71QsGd7rnci2d1RJw6FJdHeVKKaMemyolcXAlSdnqnGKRT/UbV8Ykwgcl+t9QV3aJWFYj3mAzhn38c8+ZZCeUw==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB3802.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e3eefb51-3697-4eb0-31a5-08da248d3a98
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Apr 2022 18:23:41.7762 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RnsnvK0kAi6zFGwdA9uDy1j5uFq1F2X33/ciP2pzRGINzSemC4IiVENnzGqqRII3JIoCEe/QpLLvfhiu1kw8o1bA6cDGNd2KtOY4rDdxCqk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR11MB4591
X-Proofpoint-ORIG-GUID: Q6_NOT5-Q6HTxnkK0swHNIK05UwH1Tk2
X-Proofpoint-GUID: Q6_NOT5-Q6HTxnkK0swHNIK05UwH1Tk2
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-22_05,2022-04-22_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 mlxlogscore=999 mlxscore=0 phishscore=0 priorityscore=1501 bulkscore=0 spamscore=0 suspectscore=0 impostorscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204220078
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/sy16qVgrZ6_GjTPAi9jNhuu6WFI>
Subject: Re: [lamps] [EXTERNAL] Re: PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 18:23:54 -0000

Hello all,

As I mentioned on the call, I'm not fully convinced that deciding which signatures a relying party must verify is entirely a decision for the relying party.  When an entity obtains a certificate from a CA, signatures verifiable with the certificate are attributed to the entity named in the certificate.  The certificate holder then wouldn't want a weak key bound to their identity.  If a composite key can be used in "OR" mode, the key is weakened when any of the algorithms is weakened.

This view is supported I think by RFC 4055 section 1.2 which states that the rsaEncryption OID implies that "the RSA private key owner does not wish to limit the use of the public key exclusively to either RSASSA-PSS or RSAES-OAEP" and also "When the RSA private key owner wishes to limit the use of the public key exclusively to RSASSA-PSS, then the id-RSASSA-PSS object identifier MUST be used in the algorithm field within the subject public key information".

Applying this idea to composite, and in line with the idea that it is the signature algorithm that should dictate whether signing and verification require all or only some of the component signatures to be generated/verified, I'm picturing that we could have:

  - An OID that identifies a composite public key, that is agnostic to how those keys are used (similar to rsaEncryption)
  - OIDs that identify specific signature algorithms, possibly with parameters, that could be specified in SubjectPublicKeyInfo and would then limit use of the composite key to that signature algorithm (and specified parameters, if they are specified).

The latter OIDs would also be used in SignatureAlgorithm fields.

Serge

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Friday, April 22, 2022 12:41 PM
To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org>
Cc: LAMPS <spasm@ietf.org>
Subject: [EXTERNAL] Re: [lamps] PQ-composite OR or K-of-N logic

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
(No hats)

On the call, many people expressed concern that the approach in the I-D tries to bind the signature verification policy to a public key.  These people prefer an approach where the relying party applies their own policy.  I tend to agree that the verifier should determine the policy.

Russ

> On Apr 21, 2022, at 11:00 PM, Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org> wrote:
>
> Hi all,
>
> This was discussed in the interim meeting yesterday, but I promised to also bring it up to the list.
>
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ounsworth-pq-composite-sigs/__;!!FJ-Y8qCqXTj2!ffo5wF8YG-Y6-Yy18R5u7wBsVKkWkyeR7qUlRxq7XBZvfx0AboetFja4fsrL-voFL9twTLwMovXZX-7WEwPpKF88kw$  includes a Composite-OR and a Composite-OR-Legacy mode. And Mike also mentioned K-of-N logic in the meeting. These allow for the signer to define the verification logic of the composite signature. As many pointed out in the interim meeting yesterday, it is counter intuitive for the signer to tell the verifier what to verify. If the verifier does not trust one of the signatures in the composite signature it can make a decision on what to do based on its policy. It could fail unless all sigs verify or do something else.
>
> Adding granularity in the signature to tell the signer what to do not only changes what we know and use today, but it also opens cans of worms with complexity and mistakes that could happen in implementations.
>
> I suggest to just define one mode. That is a composite sig is two signatures of the same thing with two algorithms using two keys. The signer is supposed to verify the composite signature. How it does that is beyond this draft.
>
> Rgs,
> Panos

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!ffo5wF8YG-Y6-Yy18R5u7wBsVKkWkyeR7qUlRxq7XBZvfx0AboetFja4fsrL-voFL9twTLwMovXZX-7WEwMko2CdcA$
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email