IETF Logo Mail Archive

[lamps] Re: WG Last Call for draft-ietf-lamps-kyber-certificates-07

Russ Housley <housley@vigilsec.com> Fri, 10 January 2025 19:49 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1F15C151548 for <spasm@ietfa.amsl.com>; Fri, 10 Jan 2025 11:49:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gfU7THNlKsXt for <spasm@ietfa.amsl.com>; Fri, 10 Jan 2025 11:49:42 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA387C14F738 for <spasm@ietf.org>; Fri, 10 Jan 2025 11:49:42 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 213CD7A006; Fri, 10 Jan 2025 14:49:38 -0500 (EST)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 0AFAD7A10B; Fri, 10 Jan 2025 14:49:38 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <F8EBA92E-B9A6-4149-9A0F-EDE82A782317@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B23D8FAF-E7AA-4588-9C6F-DE2809C582FC"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.200.121\))
Date: Fri, 10 Jan 2025 14:49:27 -0500
In-Reply-To: <20250110185004.93407.qmail@cr.yp.to>
To: Dan Bernstein <djb@cr.yp.to>
References: <20250110185004.93407.qmail@cr.yp.to>
X-Mailer: Apple Mail (2.3826.200.121)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=from:message-id:content-type:mime-version:subject:date:in-reply-to:cc:to:references; s=pair-202402141609; bh=VpHomchz1jSBSRlJO7gQnAIRktM+NkbbTQoGKJQInbs=; b=HlvlEwu4sg6JoAUFuBC3vLtflAPl2xisyLaT+5DeukDrYoohtB7X3oawqy0O+3LELilguCNGNNhGQub6qZQ3lj4zFugiGpppX7vp8wvB4Lctyhoq+YplTGznpKcEqQVfMqUejkTTjiKHRQ3kgU9jcT7t4Q0DspqUvWb83536aM0hmNF3U6oJDP1okJTXpn1g91/4L3cYS3FM+StPGkNYaf1AZWP85JifpMtoVcN8s3maqXdZjm9VAJKP/PZvb4Zp0uOmZjsEUR+M8JFymzPlFaFe1Wh7iUEJhHT0q4fScIUf4pXy8SUeHW2c+jKAnY+ObmC/hpJGSaNtfyNkWlRd+A==
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Message-ID-Hash: BBQQ55MB6PYD6QPBPNG5GBIPUOEWWLD7
X-Message-ID-Hash: BBQQ55MB6PYD6QPBPNG5GBIPUOEWWLD7
X-MailFrom: housley@vigilsec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: spasm@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] Re: WG Last Call for draft-ietf-lamps-kyber-certificates-07
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vZyBlysgCgG0bwieny62vAwS6ZA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

Dan:

1.  Thanks for the background on this matter; however, I must point out that there are no IPR disclosures, including third-party IPR disclosures, against this document.  See:

	https://datatracker.ietf.org/ipr/search/?submit=draft&id=draft-ietf-lamps-kyber-certificates

You seem to be very familiar with the IETF IPR-related documents, but for other readers, I will point out that Section 5.1.3 of BCP 79 covers third-party disclosures.

When the IETF Secretariat has receives a notification under Section 5.1.3 of the existence of non-participant IPR that potentially Covers a technology under discussion at IETF or which is the subject of an IETF Document, the IETF Secretariat shall promptly publish such notification and will request that the identified third party make an IPR disclosure in accordance with the provisions of Section 5 of BCP 79.

2.  This is not a mandator-to-implement algorithm.  If one chooses to implement this specification, then that implementer will obviously need to implement ML-KEM.  Implementation of this specification is completely voluntary, even if it is published as a standards-track RFC.

3.  The IETF does have change control over this specification, but it does not have change control over ML-KEM.  If a problem is ever discovered with ML-KEM, then the IETF will have two choices.  The IETF can work with NIST to resolve the problem, or the IETF can deprecate the use of ML-KEM.  RFC 6649 is an example of the later, where DES (which was also a NIST algorithm) is deprecated for use in Kerberos.

Russ


> On Jan 10, 2025, at 1:50 PM, D. J. Bernstein <djb@cr.yp.to> wrote:
> 
> I see two BCP 79 compliance problems in this draft. The same comments
> apply to draft-ietf-lamps-cms-kyber-08.
> 
> 
> 1. As background, there are known patent claims regarding Kyber. NIST
> has reportedly signed patent licenses regarding patents US9094189
> (Gaborit and Aguilar-Melchor) and US9246675 (Ding). However, another
> patent holder wrote in
> 
>    https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4cDfsx65s/m/F63mixuWBAAJ
> 
> that "Kyber is covered by our patents" including "the two patents
> mentioned in the KCL proposal". I've seen no evidence of a royalty-free
> license for those patents, such as CN107566121A (which was filed a month
> before the publication of "NewHope without reconciliation", Kyber's
> direct predecessor).
> 
> Even for the GAM and Ding patents, the complete signed licenses don't
> appear to be available to the public. The posting
> 
>    https://web.archive.org/web/20221130033932/https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf
> 
> says that it contains "relevant language (with modifications for
> readability)" from the licenses; this provides no guarantees of
> completeness and accuracy.
> 
> Furthermore, what has been posted (see previous link) appears to
> indicate that the US9246675 license excludes "any modification,
> extension, or derivation of the parameters of the PQC ALGORITHM".
> 
> 
> 2. BCP 79 says the following: "An IETF consensus has developed that no
> mandatory-to-implement security technology can be specified in an IETF
> specification unless it has no known IPR claims against it or a
> royalty-free license is available to implementers of the specification."
> 
> One can't implement draft-ietf-lamps-kyber-certificates-07 without
> implementing Kyber. The Zhao claim that "Kyber is covered by our
> patents" is a known IPR claim regarding Kyber. Consequently, before
> becoming an IETF RFC, the draft should be modified to allow alternatives
> to Kyber.
> 
> The only other approach would be for the draft to invoke the exception
> procedure from BCP 79: "It is possible to specify such a technology in
> violation of this principle if there is a very good reason to do so and
> if that reason is documented and agreed to through IETF consensus." I
> haven't seen IETF-wide notification of a proposal to violate this BCP 79
> principle, and I'm also not aware of a good reason to do so, let alone a
> "very good reason". There are patent claims regarding Kyber, so any IETF
> specification using Kyber should also include alternatives.
> 
> 
> 3. BCP 79 also says the following: "The IETF must have change control
> over the technology described in any Standards Track IETF Documents in
> order to fix problems that may be discovered or to produce other
> derivative works."
> 
> BCP 79 goes on to say that it isn't prohibiting proprietary cryptography
> but requires negotiations with the patent holders to ensure change
> control:
> 
>    In some cases, the developer of patented or otherwise controlled
>    technology may decide to hand over to the IETF the right to evolve
>    the technology (a.k.a., "change control").  The implementation of an
>    agreement between the IETF and the developer of the technology can be
>    complex.  (See [RFC1790] and [RFC2339] for examples.)
> 
>    Note that there is no inherent prohibition against a Standards Track
>    IETF Document making a normative reference to proprietary technology.
>    For example, a number of IETF standards support proprietary
>    cryptographic transforms.
> 
> The change-control rule per se has no exceptions. In the absence of
> change control, a draft cannot go on the standards track.
> 
> Even if we assume that
> 
>    https://web.archive.org/web/20221130033932/https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf
> 
> accurately reflects the actual signed licenses, it doesn't assign Kyber
> change control from the US9246675 patent holder to IETF. Modifications
> to produce derivative works, for example to fix problems that may be
> discovered, wouldn't be allowed. The patent holder would be free to
> charge IETF arbitrary amounts to allow such modifications. This is the
> type of trap that the change-control requirement is designed to avoid.
> 
> 
> ---D. J. Bernstein
> 
> _______________________________________________
> Spasm mailing list -- spasm@ietf.org
> To unsubscribe send an email to spasm-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status