IETF Logo Mail Archive

Re: [lamps] [smime] Problems with versions

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 06 May 2022 12:08 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59C3CC157B53 for <spasm@ietfa.amsl.com>; Fri, 6 May 2022 05:08:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R4Qy99JC0ddV for <spasm@ietfa.amsl.com>; Fri, 6 May 2022 05:07:59 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.21.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F953C157B4B for <spasm@ietf.org>; Fri, 6 May 2022 05:07:59 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2241.outbound.protection.outlook.com [104.47.71.241]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-79-MPTd3iUrMPyPGb3i5hl-ZA-1; Fri, 06 May 2022 22:07:55 +1000
X-MC-Unique: MPTd3iUrMPyPGb3i5hl-ZA-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYCPR01MB3439.ausprd01.prod.outlook.com (2603:10c6:10:33::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.20; Fri, 6 May 2022 12:07:53 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::4d78:e58:4ae1:d3ec]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::4d78:e58:4ae1:d3ec%7]) with mapi id 15.20.5206.027; Fri, 6 May 2022 12:07:53 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Russ Housley <housley@vigilsec.com>
CC: IETF SMIME <smime@ietf.org>, LAMPS <spasm@ietf.org>
Thread-Topic: [smime] Problems with versions
Thread-Index: AQHYXXIMHf7j2iQTy0ie4a2+MgHkeK0LkVWAgASshiGAACZXAIABYdOogAACmVw=
Date: Fri, 06 May 2022 12:07:53 +0000
Message-ID: <SY4PR01MB6251FA7BEE2598A2A49E8E03EEC59@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <SY4PR01MB6251E381603FAFE558685D86EEFE9@SY4PR01MB6251.ausprd01.prod.outlook.com> <CA16AFE1-CB97-4134-8FC9-4B8B964ACD6E@vigilsec.com> <SY4PR01MB62512D541C42E6873562A17CEEC29@SY4PR01MB6251.ausprd01.prod.outlook.com> <4447881C-4DEA-48E1-9767-9A6DA2AD07B0@vigilsec.com> <SY4PR01MB6251A8BAFF80ECC2B8BC8862EEC59@SY4PR01MB6251.ausprd01.prod.outlook.com>
In-Reply-To: <SY4PR01MB6251A8BAFF80ECC2B8BC8862EEC59@SY4PR01MB6251.ausprd01.prod.outlook.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d3b2e847-5359-40ed-1312-08da2f590c71
x-ms-traffictypediagnostic: SYCPR01MB3439:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <SYCPR01MB34390EB412E8FE60D24FA9C9EEC59@SYCPR01MB3439.ausprd01.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: Wjf2ChHck3hci0xUopuPmuvdI38/Mce7wKnADu1z10gP14LpRNsKPiNT4qfU6fYaRVN0JV9HgJ7OWaGLbDb69QGUwleq2RNrSr6LI2MOdhjbuMWU9Mo4ouDluSvt9/risdY0O9cc0Q6mVnYeoHxW5lK2G9/vXOLShS7yTSq4e6wZX48kG2mX3ke+wv4C4ayxiRgRmUT81JpInvHwj9aL/oKcnG0Ckwp2HP9XxBlBcFIQKiqv567+Xazh7ipJ6nWW3wwdAQqvewLIVUm0ccxqGwim7bSvQ2hVeIK10nrUtDiRFGgPO0fktzHjb+SeGKPS7r6I64RHa+jPZJQJf5OXe+1btx60aQ0qKYNtsE4tBOVDpvC+Ryl2c8dImpzJLbs7auHCDedsQ3WBUKp72ZPld5MuQQZ4sresR/cY5m4SZ3CT6VFihs/Zs8mJ5O7+UHk6LH6jAmyazKbdZrHqYO5OQPkNshCOC6g7S//mSWahCMUYl/P6WCy63m4c7NalEv37vT7L3cMMabZgiA0qvjmeGe2FWEzQiVs/A9pfnduNa7puOlTXDjMli9JBUWooffc2y+xRv9/ZlmuQJ6WhJIAxye7XdMyHAyFnycn9AIv8sYh6JsAN5O5RrxRPGnBYa6LzsNM37TM9r9nnmKlnT3FZ6YolxswKS3MeHNqZiO7Mv4EF/+VOWFgdLJ8rf+PKzt+RV2OJ6Zs42FPeP/KHq1TyvQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(86362001)(64756008)(66446008)(8676002)(186003)(4326008)(2906002)(83380400001)(9686003)(2940100002)(66476007)(26005)(38070700005)(38100700002)(66946007)(6506007)(316002)(66556008)(5660300002)(786003)(7696005)(52536014)(122000001)(33656002)(76116006)(8936002)(6916009)(54906003)(508600001)(71200400001)(55016003); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zGiaQ9CWUNKqpV9xdlyPhH+b3twBx8+N15rVg/pTSoTlztLYZalQwEZPEHo78UWfw+n+qxW249+rOo1ALxlUgTeXneg57b7DA/iTogMutBCbn6AsyLD/AdEz+dg2WjePwd/xO/pJgBySV1GgLQEcT4uGiY3J/7UYeM2QoNFdgbe924yyAq9j6gIquazwPtVm8Pxuhd3ai78GYhB+nlERr16XyObaYheYPM1hSKHjScJIt5mPguYFvNV/Zq+7tdGH8R4q1NAU/qy2EnTo6n7xFZAbJdpw1XI3dQmjbiSBGCM2YRplE4M5WxL6gh2vBz93AvGPN8cySLgVpsZdRoZ2asBSeso0pCf20bfVCXXM1VWdwSHjLRNCaAh60s4aU1MZv+ld9e0rbbkCYSGl2xi3TT/LNw6oXZsOBf3dKCEDfFlV2ByMJoRHEAM/FaE4jdmjHPSkJGE+R7+5DONVrVPEieQxQWiIfNPPNU3KqoNHvu1IQtX3LBMHQvjs45FeY9S4maRFyT7VTj5U08B2fOaHJIFBfojKlwVp4THItqaz3ij3vV1I7mM2dSTwVU+F+dYaPuZnQzKDmw/CL3TTWzTOe67zSSHUmGD2YvPyvK8oAB2dA+wuAMotj4JbsZLeFaOcttAWDrbbFLqxzL/wYApYpLlvHmzigutT9LihRid2M4hKkGK/O7QbwLSR2fBAa+T9rZmFwTx/FLPHu+oYwQj4NN3XOjiFm+kdqKmBMBuMQtuuyRmEOsfX5/trFvQdTSXlU6EtYWfYHF2kXBO/ur+k0MFNcSmdfZ6SZLvN+bgNq2O/L2Uo3dp2i4L80gZfOPljLsmbHcu8Do0lxu2EkqhQf/WxSfg25mnqOsr/dRfFSYJ7ZBw7wZ4zGv4gcgFZrYDWOBHYdUTk+epg9qtL4R2ZAteiw8HulJoQT29SdnkoEV+OK+m+gP326Lx7X+k7+budJrK9uIVJpCiYqTINxLcBy4gDQ11VWxlIhaJ9VGfCnN2qFBmwkj6IbwkuzRtZ1mT3FIATUtDiniKtRDi/VCzksxVmKlxYEdZ87oMEIkO/AdyF4kuHb7NUawx8AT36heHa787HtCwjsPXCC0ykEtAKAWjpewucj2DX7i/O1W6LYIT+/yHUSZyTusxt0PpjEaGQl3h5AxQ9ga3KOJ9HvNyV4qqsB/U2kmG0EH2Pk1lm4yws3WMavJjwzYlB5Lfp7lrmj4rJnjtVMMRgAQz0lznmeLSagLt3nDSaBLS+9gUm8PdfEZfbbBSMQVYppc/XwdSCIaw1H9sOKCHGq+6kVFufDqAyW8Nyr/RetGGs5EeEYHGIP60wr2+z/ZDvdJrDvX+h7QCS4UvDZTpEAZig+TLyjekq8jw98rhvMuoDJoeD9hOeD5LuEv7HLsVF3WNL9+olElG3xAp3YmdBFnEICSXy99Sy71VNFI+7F/MmlSH81PJ0EbdRElKeqafNgsmFrtF4BP84cBpP2KK1lSYFt39p2TjUnUjDwPfpXef+EwE953OvfJpORLug1IwRYx5z0TlUdZ0UAFIhlRxByfbIsbILdUe8WJZhUEgcklM0DyF4L9R4yDiB6BdctJXcHi+KgHfI9ZUtCjJuYqCNZfYd7UQBfTxO3T/KEwx9l3oqZiRg8CLkc1lOWkeYpmtyfl0X/RRpG9Lw3EtsEhxKifL3F7Rw8cxTwOXCfsMVceSZCplyHjGoo/4Llqj0vKE6cXMbxUSEBHcEcKSxfVxIp1SqACCPtY01+FAqLjqwE2cWkdJIZOo=
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d3b2e847-5359-40ed-1312-08da2f590c71
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2022 12:07:53.3053 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mP3VIOrm/+yvdcLYYdKy+e42AFrUZUTz233csZ2vplUasgk36pxLqPa47vWyoR/7BHZ6UDavQm3aZl09Nb1KkfT+/ZL4z97amsxWYz8PNKA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYCPR01MB3439
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/xZW62LJXx02Ag2wWn8K1cgrcCis>
Subject: Re: [lamps] [smime] Problems with versions
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 May 2022 12:08:03 -0000

I wrote:

>changes are necessary at some point, e.g. due to PQC.

Here's a concrete example of this, let's say there's a new SignerInfo
introduced due to PQC, with version 42.  Since there's a ton of non-PQC
implementations out there, the forwards-compatible way to deal with this is to
sign each message twice, once with an existing algorithm, once with a PQC
algorithm.  So the SignedData would be:

SignedData {
    version = ?,
    digestAlgorithms,
    content,
    signerInfos {
      signerInfo version = 1,
      signerInfo version = 42
      }
    }

An implementation that only understands non-PQC will use the v1 signerInfo, an
implementation that understands PQC will use the v42 signerInfo (or possibly
both).

So, what value should '?' have?  Following the current usage in the RFCs,
it'll be set to 42, or at least some value other than any existing allowed
one, which means this forwards-compatible use of SignedData won't actually be
forwards compatible, not because of any actual real compatibility problem but
because of an artificial one created by the way the SignedData version is
used.

Peter.

v2.23.0 | Report a Bug | By Email