[lamps] SLH-DSA in CMS/X.509
Daniel Van Geest <daniel.vangeest.ietf@gmail.com> Thu, 15 February 2024 12:40 UTC
Return-Path: <daniel.vangeest.ietf@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F469C14F6B6; Thu, 15 Feb 2024 04:40:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1da2Vtn8Gesn; Thu, 15 Feb 2024 04:40:58 -0800 (PST)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25E58C14F61D; Thu, 15 Feb 2024 04:40:58 -0800 (PST)
Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-33b49debd3bso257247f8f.0; Thu, 15 Feb 2024 04:40:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708000856; x=1708605656; darn=ietf.org; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oBQa3lXvSHEgpRrx0VejA+6lyR5vFJMCr4eKprm9+JM=; b=P3vyXvJ86qhyHX8lt0fta0UoFqVFwpDSP3/5QRf0io25Akt/FGfkhB9ZpfuyQJcii0 FbSmsMpe2ZXygskoO/1A6UYXlvcduNhMndMnT7Qfs6FPc2Tbof73aJzC2gB5oJZIRldU blf1/TO0ozHxb/n8/lWtS2CZZaNFazN2kJGrMb0KlPtQGGRFFIRsIfxcnIpvWgCX77zJ FZbJZYm3FmbcJr32SqfV7srhXvWT2OEBZROpHKEspsJ/koo78NXMMut11tOa9ZbCIOHH /6imR4v1WpOVMIdmsI2TnZgZiUY/TGMehbRXpX62J8uJtBRASJQYJtPhscTlOczRdqzk lQWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708000856; x=1708605656; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oBQa3lXvSHEgpRrx0VejA+6lyR5vFJMCr4eKprm9+JM=; b=qpeWEUf64R+K20mu1thzyGpN0Bw6khQJWhZEfqxuwZ2egbr7LADhS6VlxOpPId6+5L 5eahvpmQB8tu5akhUNHetJa9ee/vFFvAUDMqLj/PY2x+s+ViIrxt3s3DM4FEwmHb1cyG b3m2IidZY12iEbr2VVl5322UJEMbFQN0rysh0DJ29riiqOQUAmMsEm8805ojq0OV49HX rf2/l7qTi6kpal5nlD13X06c2+ez5+ytPMNcobYBBA7ikRORZ9KuNcO18dh11Gtc7vNh pcZWHNVKFgWwX92xYLBVDsip7AiOlM8mllxYobkaP5cCnEipTz+zzWH5bYFw44gxf4vc s9sw==
X-Forwarded-Encrypted: i=1; AJvYcCUx/UMOVfOw/UraI85DbGZ/oFVEj59XXAJA3p8H/mCBb7kC6wxkTGp20XdtQFI5C/ype+IR+R0PAqXpBWpgmJEI9XmFKuapTkUG4Kk6++MPJSBcF1wrRq1UGHejCQx3pr0=
X-Gm-Message-State: AOJu0YzGmQxG7Ujw3TMY8ru9k3JycDEE6OWH0d0osTBwk6EZ9KYcyeds pLatUGF8/aZT7/vYmkVcUydvye+EmE7f6uubmbQ894tR+3gJCqkamHlioyFN
X-Google-Smtp-Source: AGHT+IFDFYfCnqm+SAZQP3T0nACmenBDHiVFT4jSK4WFBGzIGh/BWSqEzAareBRX4Jcxp3T84w7oaw==
X-Received: by 2002:a05:6000:69a:b0:33b:10ca:d85b with SMTP id bo26-20020a056000069a00b0033b10cad85bmr1226458wrb.5.1708000855465; Thu, 15 Feb 2024 04:40:55 -0800 (PST)
Received: from DESKTOPUE07G7D ([2001:8a0:6a10:d300:a841:571f:6ae6:dc5]) by smtp.gmail.com with ESMTPSA id d11-20020adffd8b000000b0033cf4e47496sm1665856wrr.51.2024.02.15.04.40.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Feb 2024 04:40:55 -0800 (PST)
From: Daniel Van Geest <daniel.vangeest.ietf@gmail.com>
To: "'Kampanakis, Panos'" <kpanos=40amazon.com@dmarc.ietf.org>, 'Mike Ounsworth' <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, draft-ietf-lamps-dilithium-certificates@ietf.org
Cc: 'LAMPS' <spasm@ietf.org>
References: <CH0PR11MB5739AF8408E1669FB9EF912A9F4F2@CH0PR11MB5739.namprd11.prod.outlook.com> <48348cdba84f4d93b9a1f67838f74201@amazon.com>
In-Reply-To: <48348cdba84f4d93b9a1f67838f74201@amazon.com>
Date: Thu, 15 Feb 2024 12:40:56 -0000
Message-ID: <01a401da600c$3941d260$abc57720$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_01A5_01DA600C.394295B0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdpgBXPC/6YWQiHhTsSELvyXW7mDEQ==
Content-Language: en-ca
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/tRphwWBUWHSeGWN-gYTbEzg_K1A>
Subject: [lamps] SLH-DSA in CMS/X.509
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2024 12:40:59 -0000
Forking from "Can ML-DSA be used in CMS" because it's the same problem with a different subject. The question of separate drafts also applies to SLH-DSA. One line in draft-ietf-lamps-cms-sphincs-plus shouldn't be sufficient to say to the IETF world "And now you can use SLH-DSA in X.509!". draft-gazdag-x509-hash-sigs would do that work. At 118, Stefan kindly asked for adoption and there weren't any objections in the queue. But I haven't seen a call for adoption on the list. There was also no opinion on splitting the draft (SLH-DSA and XMSS/HSS). Since draft-ietf-lamps-cms-sphincs-plus is adopted, we should have something adopted at the X.509 level, whether it's draft-gazdag-x509-hash-sigs or a split draft for just SLH-DSA. Question for the chairs: Was there sufficient interest for adoption of draft-gazdag-x509-hash-sigs at 118, and it was just missed? Question for the WG: Should draft-gazdag-x509-hash-sigs be split into SLH-DSA and Stateful HBS drafts? My opinion: draft-ietf-lamps-cms-sphincs-plus shows demand for SLH-DSA in IETF protocols. A separate SLH-DSA in X.509 draft would progress faster because it's not weighed down by the concerns around stateful algorithms. If somehow draft-ietf-lamps-cms-sphincs-plus can progress without an associated X.509 draft I guess that's okay too. If they should be split, I can spin up the SLH-DSA draft. It'll be a lot of copy-paste, so if you think I'll be copying your text and can help with that, let me know. Daniel From: Spasm <spasm-bounces@ietf.org> On Behalf Of Kampanakis, Panos Sent: Wednesday, February 14, 2024 3:08 AM To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; draft-ietf-lamps-dilithium-certificates@ietf.org Cc: 'LAMPS' <spasm@ietf.org> Subject: Re: [lamps] Can ML-DSA be used in CMS? Hi Mike, We could consider doing all ML-DSA in CMS and X.509 in one draft, but personally I would rather we kept them separate like we did with SHAKEs in CMS (rfc8702) and X.509 (rfc8692) or with EdDSA in CMS and X.509. They are more straightforward for implementers that way. We could change that if there was WG consensus. Note that draft-ietf-lamps-cms-sphincs-plus mentions about SLH-DSA in CMS "When this AlgorithmIdentifier appears in the SubjectPublicKeyInfo field of an X.509 certificate [.]" So, it includes how the SLH-DSA OID can be used in X.509 cert public keys as well, but it does not mention how to use the signatures. From: Spasm < <mailto:spasm-bounces@ietf.org> spasm-bounces@ietf.org> On Behalf Of Mike Ounsworth Sent: Tuesday, February 13, 2024 8:37 AM To: <mailto:draft-ietf-lamps-dilithium-certificates@ietf.org> draft-ietf-lamps-dilithium-certificates@ietf.org Cc: 'LAMPS' < <mailto:spasm@ietf.org> spasm@ietf.org> Subject: [EXTERNAL] [lamps] Can ML-DSA be used in CMS? CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. The answer obviously is Yes, but draft-ietf-lamps-dilithium-certificates does not actually say this. I was reading a draft ICAO ePassport document yesterday that correctly points out that IETF has a draft for how to use ML-DSA into X.509 certificates, but no draft for how to use ML-DSA in CMS. Authors of draft-ietf-lamps-dilithium-certificates, if you add a section "Signed-data Conventions" modelled after RFC8419, then I think that saves us from needing a whole second ML-DSA draft. --- Mike Ounsworth Software Security Architect, Entrust
- [lamps] Can ML-DSA be used in CMS? Mike Ounsworth
- Re: [lamps] Can ML-DSA be used in CMS? Wai Choi
- Re: [lamps] Can ML-DSA be used in CMS? Mike Ounsworth
- Re: [lamps] Can ML-DSA be used in CMS? Wai Choi
- Re: [lamps] Can ML-DSA be used in CMS? Mike Ounsworth
- Re: [lamps] Can ML-DSA be used in CMS? Sean Turner
- Re: [lamps] Can ML-DSA be used in CMS? Wai Choi
- Re: [lamps] Can ML-DSA be used in CMS? Kampanakis, Panos
- Re: [lamps] Can ML-DSA be used in CMS? Mike Ounsworth
- [lamps] SLH-DSA in CMS/X.509 Daniel Van Geest
- Re: [lamps] [EXTERNAL] SLH-DSA in CMS/X.509 Mike Ounsworth
- Re: [lamps] [EXTERNAL] SLH-DSA in CMS/X.509 Ira McDonald
- Re: [lamps] [EXTERNAL] SLH-DSA in CMS/X.509 Kousidis, Stavros
- Re: [lamps] SLH-DSA in CMS/X.509 Kampanakis, Panos
- Re: [lamps] Can ML-DSA be used in CMS? Michael Prorock