IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Proposed recharter text

Russ Housley <housley@vigilsec.com> Tue, 16 February 2021 20:26 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F2AD3A1086 for <spasm@ietfa.amsl.com>; Tue, 16 Feb 2021 12:26:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PX9Vjd26gZ2g for <spasm@ietfa.amsl.com>; Tue, 16 Feb 2021 12:26:50 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B59D93A1081 for <spasm@ietf.org>; Tue, 16 Feb 2021 12:26:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 13FDE300B9A for <spasm@ietf.org>; Tue, 16 Feb 2021 15:26:48 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id bpNr9XEWxYch for <spasm@ietf.org>; Tue, 16 Feb 2021 15:26:45 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id A3CDB300AE8; Tue, 16 Feb 2021 15:26:45 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <DM6PR11MB4380B199021FBFFF675A0D9F9F879@DM6PR11MB4380.namprd11.prod.outlook.com>
Date: Tue, 16 Feb 2021 15:26:47 -0500
Cc: LAMPS <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8272F35A-6824-405A-89EF-E39EED3B437A@vigilsec.com>
References: <DM6PR11MB43808FA7D74229A5997965649FBA9@DM6PR11MB4380.namprd11.prod.outlook.com> <9D01B155-6BB8-4438-8FAA-149686B69B64@vigilsec.com> <DM6PR11MB4380B199021FBFFF675A0D9F9F879@DM6PR11MB4380.namprd11.prod.outlook.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/wZxuA2MzsEidyNbG3_WZysnykC4>
Subject: Re: [lamps] [EXTERNAL] Proposed recharter text
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 20:26:54 -0000

Mike:

We need to be driven by contributions.  I do not think an I-D is the right thing here.  We could used a CodiMD document or the LAMPS WG wiki (which has not seen any use to date).

Russ


> On Feb 16, 2021, at 3:16 PM, Mike Ounsworth <Mike.Ounsworth@entrust.com> wrote:
> 
> Russ, your 5 a&b look good to me.
> 
> I am eager to see the discussions around scoping the PQC effort. For example, I recently received a question about whether draft-ounsworth-pq-composite-sigs-04 is compatible with RFC 5914. The answer is Yes, but the point is that we're probably in for an n x m amount of work where n is the number of hybrid / dual mechanisms we standardize, and m is the number of RFCs to check for compatibility. 
> 
> I wonder if it's worth an I-D to keep track of which RFCs will need updating for PQC, and who's leading each one?
> 
> ---
> Mike Ounsworth
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
> Sent: February 10, 2021 2:22 PM
> To: LAMPS <spasm@ietf.org>
> Subject: [EXTERNAL] [lamps] Proposed recharter text
> 
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
> 
> ______________________________________________________________________
> I propose the attached recharter text.
> 
> Tasks 1-3 are unchanged from the current charter,
> 
> Task 4 is a slightly edited version of the text proposed by DKG after IETF 109.
> 
> Task 5 is the text that came out of the discussion that followed the virtual interim at the end of last month.
> 
> Task 6 was raised in the discussion that followed the virtual interim at the end of last month.  In my view, it is too early to work on advancement of RFC 8550 and RFC 8551, but putting it in the charter now will allow us to tackle them when they are well deployed.
> 
> Russ
> 
> = = = = = = = =
> 
> The PKIX and S/MIME Working Groups have been closed for some time. Some updates have been proposed to the X.509 certificate documents produced by the PKIX Working Group and the electronic mail security documents produced by the S/MIME Working Group.
> 
> The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working Group is chartered to make updates where there is a known constituency interested in real deployment and there is at least one sufficiently well specified approach to the update so that the working group can sensibly evaluate whether to adopt a proposal.
> 
> The LAMPS WG is now tackling these topics:
> 
> 1. Specify the use of short-lived X.509 certificates for which no revocation information is made available by the Certification Authority.
> Short-lived certificates have a lifespan that is shorter than the time needed to detect, report, and distribute revocation information.  As a result, revoking short-lived certificates is unnecessary and pointless.
> 
> 2. Update the specification for the cryptographic protection of email headers -- both for signatures and encryption -- to improve the implementation situation with respect to privacy, security, usability and interoperability in cryptographically-protected electronic mail.
> Most current implementations of cryptographically-protected electronic mail protect only the body of the message, which leaves significant room for attacks against otherwise-protected messages.
> 
> 3. The Certificate Management Protocol (CMP) is specified in RFC 4210, and it offers a vast range of certificate management options.  CMP is currently being used in many different industrial environments, but it needs to be tailored to the specific needs of such machine-to-machine scenarios and communication among PKI management entities.  The LAMPS WG will develop a "lightweight" profile of CMP to more efficiently support of these environments and better facilitate interoperable implementation, while preserving cryptographic algorithm agility.  In addition, necessary updates and clarifications to CMP will be specified in a separate document.  This work will be coordinated with the LWIG WG.
> 
> 4. Provide concrete guidance for implementers of email user agents to promote interoperability of end-to-end cryptographic protection of email messages.  This may include guidance about the generation, interpretation, and handling of protected messages; management of the relevant certificates; documentation of how to avoid common failure modes; strategies for deployment in a mixed environment; as well as test vectors and examples that can be used by implementers and interoperability testing.  The resulting robust consensus among email user agent implementers is expected to provide more usable and useful cryptographic security for email users.
> 
> 5. Recent progress in the development of quantum computers pose a threat to widely deployed public key algorithms.  As a result, there is a need to prepare for a day when cryptosystems such as RSA, Diffie-Hellman, ECDSA, ECDH, and EdDSA cannot be depended upon.  As a result, there are efforts to develop standards for post-quantum cryptosystem (PQC) algorithms that that will be secure if large-scale quantum computers are ever developed.
> 
> a. Specify the use of PQC public key algorithms with the PKIX certificates and the Cryptographic Message Syntax (CMS).
> 
> b. Develop specifications to facilitate a lengthy transition from today's public key algorithms to PQC public key algorithms.  Unlike previous algorithm transitions, time will be needed before there is full confidence in the PQC public key algorithms.  Therefore, transition mechanisms that combine traditional algorithms with PQC algorithms will be needed for "hybrid key establishment" and "dual signatures".  NIST defines "hybrid key establishment" as any key establishment scheme that is a combination of two or more components that are themselves cryptographic key-establishment schemes.  NIST defines "dual signatures" as any signature scheme that consists of two or more signatures on a common message.  The specifications developed will enable PKIX and S/MIME protocols to support hybrid key establishment and dual signature mechanisms.
> 
> 6. Progress RFC 5280, RFC 6960, RFC 8550, and RFC 8551 to Internet Standard status.
> 
> In addition, the LAMPS WG may investigate other updates to documents produced by the PKIX and S/MIME WG. The LAMPS WG may produce clarifications where needed, but the LAMPS WG shall not adopt anything beyond clarifications without rechartering.
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!J7Kr6iwywnCBq5P58y1PfJ-jW9MmMeTtPxgd7pmX_sRyjELD5UsRT2imMIXVg_k9a4aPsvyRCg$

v2.23.0 | Report a Bug | By Email