IETF Logo Mail Archive

[lamps] Re: WG Last Call for draft-ietf-lamps-kyber-certificates-07

Russ Housley <housley@vigilsec.com> Mon, 17 February 2025 18:29 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47DF9C17C88A for <spasm@ietfa.amsl.com>; Mon, 17 Feb 2025 10:29:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.805
X-Spam-Level:
X-Spam-Status: No, score=-2.805 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGRriVFeSgUH for <spasm@ietfa.amsl.com>; Mon, 17 Feb 2025 10:29:40 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D611AC151989 for <spasm@ietf.org>; Mon, 17 Feb 2025 10:29:40 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 573D014C85C for <spasm@ietf.org>; Mon, 17 Feb 2025 13:29:40 -0500 (EST)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 460B514D72E for <spasm@ietf.org>; Mon, 17 Feb 2025 13:29:40 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.400.131.1.6\))
Date: Mon, 17 Feb 2025 13:29:30 -0500
References: <50AEFA36-6AEC-47BA-B0A7-3EDC6C88FCED@vigilsec.com> <CAAYYu_tV0fZgmet2z_--5YFph6SSe0d9nXvtX_hJWO12-5kZsg@mail.gmail.com> <87fs8mmfrl.fsf@fifthhorseman.net> <79D27AE6-EAD6-4C0B-9036-7F6A8174B9BB@vigilsec.com> <6F65CFE7-41E3-4B16-8DE6-0BB75AFDEC42@vigilsec.com> <1B633295-9219-4B86-B241-E6095E52D209@vigilsec.com> <ADEDFCBA-E06D-4AD2-8606-EAE19CAC46C9@vigilsec.com>
To: LAMPS <spasm@ietf.org>
In-Reply-To: <ADEDFCBA-E06D-4AD2-8606-EAE19CAC46C9@vigilsec.com>
Message-Id: <71409113-A72A-44C6-8D81-D4683E6C6E4E@vigilsec.com>
X-Mailer: Apple Mail (2.3826.400.131.1.6)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=from:content-type:content-transfer-encoding:mime-version:subject:date:references:to:in-reply-to:message-id; s=pair-202402141609; bh=Y0FaNrcpvyoUqP+9RoIaWgibhw5IwVwk+NVl7j+qPzQ=; b=BqZ0YAO3xGIhEwEK3QGHSPTDeRRC3XdM3SmMWJd/6j1AtDfJ6so5MnN6I0y/fvhK6wrI0K6i6RegFaLPgplkmUU3NRTBhzB/Drn+acsm/IORHxr5fxU9nNq9yDfMBSZ2WrneynWJie2OrLB6iOTVzRL+0J+Tg8barP1HjCBm/L//W5iKbpzSFZOejJ2QZSF9H/7u9UMINoS0tTsNWK1d+6Mhse5lWT0gGp1Wwc1eLATAddwGMIFBWEd8G1wio/JVPHsV1mDnQJMKnlxbilB7o4R5DZdiIanWWjVS1ImNpHdW2rZ48w1Yr3ZagSw2+5iN++fzuhr40jjWCvEYv1APLA==
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Message-ID-Hash: ZCNVZXZMJCZZSVKO7MP5IR67LRFSTFOQ
X-Message-ID-Hash: ZCNVZXZMJCZZSVKO7MP5IR67LRFSTFOQ
X-MailFrom: housley@vigilsec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] Re: WG Last Call for draft-ietf-lamps-kyber-certificates-07
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vkoJZ0qninQHwSCGeSmTyE11va8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

Several different reasons for people rejecting the last possible way forward were expressed, but some expressed the strong desire to allow seed, expandedKey, or both.

To see if we can get consensus, I return to the CHOICE.  However, there needs to be some normative language around the use of both.  I suggest something like:

   When the private key contains both the seed and the expandedKey, the
   sender MUST ensure that the seed produces the provided expandedKey
   when provided to the ML-KEM.KeyGen_internal function defined in
   [FIPS203].  The recipient MAY reject the private key as malformed if
   the seed does not produce the provided expandedKey when provided
   to the ML-KEM.KeyGen_internal function.

With this approach, the ASN.1 wrapping is always present.  The use of "WITH COMPONENTS" is purposefully avoided to accommodate the widest possible set of ASN.1 tools.

Using ML-KEM-1024 as an example:

  pk-ml-kem-1024 PUBLIC-KEY ::= {
      IDENTIFIER id-alg-ml-kem-1024
      -- KEY no ASN.1 wrapping; 1568 octets --
      PARAMS ARE absent
      CERT-KEY-USAGE { keyEncipherment }
      PRIVATE-KEY ML-KEM-1024-PrivateKey
      }

  ML-KEM-1024-PrivateKey ::= CHOICE {
      seed [0] OCTET STRING (SIZE (64)),
      expandedKey OCTET STRING (SIZE (3168)),
      both SEQUENCE {
          seed OCTET STRING (SIZE (64)),
          expandedKey OCTET STRING (SIZE (3168))
          }
      }

I know this alternative is not at the top of several preference lists that have been posted.  Again, we are trying to find something that everyone can live with, even if no one is completely happy.

Please voice your support or objections to this way forward.

Russ


> On Jan 8, 2025, at 3:56 PM, Russ Housley <housley@vigilsec.com> wrote:
> 
> Title: Internet X.509 Public Key Infrastructure - Algorithm Identifiers for the
>    Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)
> Authors: S. Turner, P. Kampanakis, J. Massimo, and B. Westerbaan
> Datatracker: https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates
> 
> Should the LAMPS WG ask the IESG to publish this document as a Standards-Track RFC?  Please respond to this WG Last Call by 22 January 2025.
> 
> For the LAMPS WG Chairs,
> Russ

v2.46.0 | Report a Bug | By Email | System Status