IETF Logo Mail Archive

Re: [lamps] PQ-composite OR or K-of-N logic

Russ Housley <housley@vigilsec.com> Wed, 04 May 2022 15:52 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE3BDC15948A for <spasm@ietfa.amsl.com>; Wed, 4 May 2022 08:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.894
X-Spam-Level:
X-Spam-Status: No, score=-6.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4tbauPXO_w1E for <spasm@ietfa.amsl.com>; Wed, 4 May 2022 08:52:35 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4403AC147921 for <spasm@ietf.org>; Wed, 4 May 2022 08:52:35 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 314A813F05E; Wed, 4 May 2022 11:52:34 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 0BF0513EEEA; Wed, 4 May 2022 11:52:34 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <4680F729-CEDF-434E-9F2B-068AA6E149E9@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8DD17E2F-A6F5-412D-9AF8-29E56C45A332"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Wed, 04 May 2022 11:52:33 -0400
In-Reply-To: <b955611d3638496f974e3b8c42fc7897@d-trust.net>
Cc: LAMPS <spasm@ietf.org>
To: "\"Klaußner, Jan\"" <Jan.Klaussner@d-trust.net>
References: <f2fb2b2459fe42818348838eb14cc2ac@EX13D01ANC003.ant.amazon.com> <1312273.1650733310@dooku> <ca18a6bf6cb74756ac942fb514c82d78@d-trust.net> <F24836DA-1304-4379-B91D-BBB4F012A888@vigilsec.com> <6cff3100963349cb8399bbe853e2186f@EX13D01ANC003.ant.amazon.com> <b955611d3638496f974e3b8c42fc7897@d-trust.net>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/wvkWRZMqo9cwykg9CLQZt06CMHc>
Subject: Re: [lamps] PQ-composite OR or K-of-N logic
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2022 15:52:39 -0000

You seem to be confusing the certificate policy and the signature policy.  Please see RFC 3125 and RFC 3126 for a discussion and specification of signature policy in the context of a CMS signature.

Russ


On Wed, May 4, 2022 at 5:37 AM Klaußner, Jan <Jan.Klaussner@d-trust.net <mailto:Jan.Klaussner@d-trust.net>> wrote:
Hi Panos,

as I stated in another post in this thread, in the non-repudiation or content commitment use case the signer must hint how the verification should be done in order to be held accountable.

> -----Ursprüngliche Nachricht-----
> Von: Kampanakis, Panos <kpanos@amazon.com <mailto:kpanos@amazon.com>>
> Gesendet: Mittwoch, 27. April 2022 16:13
> An: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>; Klaußner, Jan <Jan.Klaussner@d-
> trust.net <http://trust.net/>>
> Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>
> Betreff: RE: [lamps] PQ-composite OR or K-of-N logic
> 
> +1 to Russ' point about RFC4998.
> 
> And to reiterate:
> 
> > There would be an immediate need to reconfigure or update
> verifier/signing software not to use this algorithm anymore, but there is
> some more time to replace the algorithm in the PKI.
> > The k-of-n mode here is providing this agility and also the increased
> security of the AND mode, simply put.
> 
> That does not need the signer to define the k-of-n logic. The signer will just
> create n signatures and put them in a composite one. The verifier will verify
> k-of-n and pass verification. No need for upgrades. And no need for the
> AND, OR, K-OF-N logic to be added in the composite signature or public key
> to complicate things.
> 
> 
> 
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
> Sent: Wednesday, April 27, 2022 9:44 AM
> To: "Klaußner, Jan" <Jan.Klaussner@d-trust.net <mailto:Jan.Klaussner@d-trust.net>>
> Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>
> Subject: RE: [EXTERNAL][lamps] PQ-composite OR or K-of-N logic
> 
> CAUTION: This email originated from outside of the organization. Do not click
> links or open attachments unless you can confirm the sender and know the
> content is safe.
> 
> 
> 
> Jan:
> 
> A notary is often used when a signature needs to be verifiable for many
> decades. RFC 4998 specifies the Evidence Record Syntax (ERS), which can be
> used to apply additional signatures by a notary.
> 
> Russ
> 
> > On Apr 27, 2022, at 4:36 AM, Klaußner, Jan <Jan.Klaussner@d-trust.net <mailto:Jan.Klaussner@d-trust.net>>
> wrote:
> >
> > Hi all,
> >
> > First I completely agree with Michaels view on verification policies.
> > Especially in open PKIs that are not under control of one company
> > there is a need to signal how verification should be done.
> >
> > On the question about use cases beside the PQ transition: We believe
> > there is a high probability that new algorithms are successfully
> > attacked during the next decades.
> >
> > Therefore we want establish some agility in an PKI to more easily
> > switch algorithms without an immediate PKI rollover. In our case we
> > are also talking about use cases for document signing or long term
> > encryption, where digital signatures need to be valid for longer
> > periods, sometimes up to 50 years.
> >
> > So in case one algorithm is broken, the documents still remain secure/valid.
> > There would be an immediate need to reconfigure or update
> > verifier/signing software not to use this algorithm anymore, but there
> > is some more time to replace the algorithm in the PKI.
> > Once again, this is even more important in an open PKI.
> >
> > The k-of-n mode here is providing this agility and also the increased
> > security of the AND mode, simply put.
> >
> > I hope our point is now more clear to the group
> >
> > Br
> > Jan
> >> -----Ursprüngliche Nachricht-----
> >> Von: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> Im Auftrag von Michael
> Richardson
> >> Gesendet: Samstag, 23. April 2022 19:02
> >> An: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>
> >> Betreff: Re: [lamps] PQ-composite OR or K-of-N logic
> >>
> >>
> >> I read through the list and the slides.  I couldn't be at the meeting
> >> on Wednesday as I was travelling.
> >>
> >> The document starts off with:
> >> "Even after the migration period, it may be advantageous for an
> >> entity's  cryptographic identity to be composed of multiple
> >> public-key
> > algorithms."
> >>
> >> Panos and a few others have complained that the document attempts to
> >> have signers tell verifiers what to do, and this should really a
> >> verifier
> > policy.
> >> Well, that would make a lot of sense for a CMS signature on your
> >> Mortgage, or your MUA verifying my email.
> >>
> >> But, signers REGULARLY tell verifiers what they've done and how to
> >> verify things, and that's in the context of Certificates.  We have
> >> all these
> > policy
> >> OIDs, and CSPs, and Path Constraints, and ...  These are all signals
> >> from
> > the
> >> signer to the verifier.  The verifier can, of course, have a policy
> >> that
> > says that
> >> they ignore CSPs or Path Constraints, or...
> >>
> >> I guess that the k-of-n part was in the slides only, as it's not in
> >> the
> > document
> >> that I could see.
> >>
> >> I go back to the text I quoted above, and thinking about k-of-n.
> >> I'm thinking that if there are more uses for the Composite-Or and
> >> Composite-AND structures than *just* PQ transition, that the ROI on
> >> implementing them may be much higher.  And thus the likelyhood that
> >> we'll discovery and fix bugs relating to the new constructs is much higher.
> >>
> >> I think that we can agree that the last thing we want is a widespread
> >> bug
> > in
> >> validation, at the point where we find it critical to transition.
> >>
> >> ps: I giggled when I read ~~~ BEGIN EDNOTE 10~~~
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Michael Richardson <mcr+IETF@sandelman.ca <mailto:mcr%2BIETF@sandelman.ca>>, Sandelman Software
> Works
> >> -= IPv6 IoT consulting =-
> >>
> >>
> >
> > _______________________________________________
> > Spasm mailing list
> > Spasm@ietf.org <mailto:Spasm@ietf.org>
> > https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>

_______________________________________________
Spasm mailing list
Spasm@ietf.org <mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>


-- 
Mike Jenkins
mjjenki@cyber.nsa.gov <mailto:mjjenki@tycho.ncsc.mil> 
443-598-7837
_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email