IETF Logo Mail Archive

Re: [lamps] Proposed recharter text

Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 10 March 2021 23:03 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902273A0B6C; Wed, 10 Mar 2021 15:03:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D4mKxMD9aE8s; Wed, 10 Mar 2021 15:03:47 -0800 (PST)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18A0A3A0B83; Wed, 10 Mar 2021 15:03:46 -0800 (PST)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 12AMsJxl008631; Wed, 10 Mar 2021 17:03:30 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=+jBMEgUgFP7SvItm4gmZKzMmSqpvJ/C5UAl5ymAUqyw=; b=RnJc7c7iuBNHu+TCJZShYo+Q60snnEfn9qaSbI+ShSNdLeY9xWN4IRfEE2mWFXoQns2d 8F8vwhencLZoq3m+KLxTxf0lEw78m4QkENrNrdCVNUQfQfbc3mG+tH0SoA2GW3tiWQlw OUtqgFVTfUhBsBHKpghdASrUOpMvfpodpY+nRy3+Y70Tpxmunjv4N1uN2MVV+EOwfQt3 7z2bxg8VZ94jDD7Vs2peVxiuvTJ5Ib+N8Ojb1MAfJX29Zf//qFUuW0XFlehGfpVvBvxX +0sEHJJyK3k2jAq3ni9DOG4lvoD9bxxQHAE9POfL2+kDbnjmNxKycHnCRkkNC/CEr1kR sg==
Received: from nam04-bn8-obe.outbound.protection.outlook.com (mail-bn8nam08lp2041.outbound.protection.outlook.com [104.47.74.41]) by mx08-0015a003.pphosted.com with ESMTP id 3747a917fw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 10 Mar 2021 17:03:29 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Y8vQHNbc5yF+NDkI2ALmXu9BxcjzaVNh3hFQ1dm0XL2uQiPv4QIrcSGjPp2V6cqA2kxEgYxBcooxO6GH5dHXSLhMu13vlSbYTL8UErPQIjzkq6igcG/J6RFztoKJRYCTh3S5gB8an8qfK8yZuk32anDkEoPvpBSVZSwBt36bf6qGWl7soFfGsx9MzORET4dGmnQNdeQVjoDIdny2usV4i1uaPT5/i4NaAOMvkgIOrAHDf8Fcq5YIPk4+75DVD8NQx37KmdYIP8zjmTUvW9KySJgRDKmOEd05YZoLramqAdalWTLBIb8z4JfsRdrQCVjELHZtyA+wdk3lkXcpyGWdkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+jBMEgUgFP7SvItm4gmZKzMmSqpvJ/C5UAl5ymAUqyw=; b=YIMwEjhKExKmCRLfwJgH4RjetKrG/F55ubAviyVuCU25BWKBwZS/LVB8G6yDJb7OvTgK5n7IgYTZRPTx5uAANTvIwESicvFk5dJKue+lzKnEVCBFWYDvTcHIUVyf/Yu45vwuLRSsJJO6tY/gDNulzREskENbJGRmqR+DN6wF5dm+UbbjrSVZ6cq4DpyyTsRewWctjqQ8/6O8mtQShs3iEi8fIMAgOVVsE2+Ckl2GlhrvE6BGIG/kE6wxf7w8b178XuWQ+WVhlUknXWdTNsFBOF1XBo949zbFLNAuYQBlniEMWCrB9vF5DBMkLiBKQe2diGUTZZX3zWk8GLOfjvNTYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from DM6PR11MB4380.namprd11.prod.outlook.com (2603:10b6:5:14e::20) by DM6PR11MB2570.namprd11.prod.outlook.com (2603:10b6:5:ce::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.30; Wed, 10 Mar 2021 23:03:26 +0000
Received: from DM6PR11MB4380.namprd11.prod.outlook.com ([fe80::a500:2ae3:a6c4:bc13]) by DM6PR11MB4380.namprd11.prod.outlook.com ([fe80::a500:2ae3:a6c4:bc13%4]) with mapi id 15.20.3912.027; Wed, 10 Mar 2021 23:03:26 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Roman Danyliw <rdd@cert.org>, Benjamin Kaduk <kaduk@mit.edu>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] Proposed recharter text
Thread-Index: AQHXFf00XDuicXPMtUanHxxqIyPGZap90vtA
Date: Wed, 10 Mar 2021 23:03:26 +0000
Message-ID: <DM6PR11MB4380F5390EB5D37651A129129F919@DM6PR11MB4380.namprd11.prod.outlook.com>
References: <DM6PR11MB43808FA7D74229A5997965649FBA9@DM6PR11MB4380.namprd11.prod.outlook.com> <9D01B155-6BB8-4438-8FAA-149686B69B64@vigilsec.com> <BN7PR11MB254762EDB050588E65B423B2C9869@BN7PR11MB2547.namprd11.prod.outlook.com> <038A4AA3-96A5-4827-BEEB-12B58F49102B@vigilsec.com> <b82901c00c6847fe9a8f420275d74ccc@cert.org> <DM6PR11MB43805BE3FEFD91A5BDD592EF9F939@DM6PR11MB4380.namprd11.prod.outlook.com> <f6b83156ae704d459125bf4157578e86@cert.org> <DM6PR11MB43806CB904AD424D1B925E799F919@DM6PR11MB4380.namprd11.prod.outlook.com> <0CC020DD-215E-4B1A-BBB9-F849BE6F3A3C@akamai.com> <20210310145410.GX56617@kduck.mit.edu> <98b073fb1215410492e209ef4ca8833f@cert.org>
In-Reply-To: <98b073fb1215410492e209ef4ca8833f@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=entrust.com;
x-originating-ip: [4.19.72.62]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 748808f9-a7b9-4087-8ad8-08d8e418b65c
x-ms-traffictypediagnostic: DM6PR11MB2570:
x-microsoft-antispam-prvs: <DM6PR11MB257043C1F64C9DE3FA8BDFE39F919@DM6PR11MB2570.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4941;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: slag2vqQi/J3Dvh7nV3Re4sA2SFBdptQSZX9nGGBXxOF4rSUZfgbM+HjZnQUO48IdLjCcBEATRjhkrDu10r4dlY9WRdvjWSQ13HF97VQpDT8e1+7HwKj2N0qV3Tgy5UuZ1BOx18lzB3ufTXIgeXsOIpU8Lci0vCDNXEo+i1BEuRpQ3UCM36BwOAgntS0WbeRhkYbuLg8q2ou2Qp7blv8EWKxDdoZpnJB7dZhmwfWIFtQXShLmXzcOygLvV4hdoPNkVtC38x2qTJgKRhFuqCSrF9B9GyuKzT6cCDrPyqQfBYYxpFdTjFxYTf8eyhrVRUiRO35/1TgOhU7TA0mFcao4w7vW2zmWQnhKy90V1D3J98DGUPguhV14eEasxk3DPLVSpip4OhzHmkIHSGjz7d4hzzNnsKgF9zsBS50qW6tUuy2a/0PVCIOfC0Ug8Eht2t09DxjqYW5Vt2if7A/zxFPrJ4vtTuSMfbuXs6b+L6x0JMTajo18pokvX/m/u1PCLjb5EIiAkEgw901GYuSCMU3uIbUwRYulZotwQpaXYmBKsuOs058RC8RVyYXKY7pq8MsCsl2ge5xuoeViVHCIJGaso3D3GVg+3Oj4jR7dPHL53Q=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB4380.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(396003)(376002)(39860400002)(346002)(136003)(7696005)(4326008)(2906002)(5660300002)(6506007)(52536014)(83380400001)(316002)(53546011)(9686003)(110136005)(55016002)(86362001)(66556008)(66946007)(76116006)(66446008)(478600001)(33656002)(186003)(26005)(8936002)(71200400001)(8676002)(66476007)(966005)(64756008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: nhJev6O07wdrmk66Fm4E5n8X0pHC51dQ0nMwpfGRObLGryWwVN3Hh/Tb6OVkodypkTL0NssSTCK425YdO0YvskAkLIa85OPam8lSwYqqZOvQrfckSFu8OmJYbVlJCDKEXS22+2xQrsL1vQY9HDmCNZVxcX8MerzugHxoForvZuswsiAWZRwRs5VNaM999K1eW4DX0p96uJcVRaqPU4rtW1s1Cz6rWOeuyv220ySksgm7S+3SyZI9LkAxvrdMZEZ0xAcFdccE+HsPkXPbbCGjCK+qcr7zgEmMyk0e8ll7EDZ7qYeB5KYXZq0GX8/DbwjXXxr6BYRRJlFDJU3Lu4flgXQu2wo9HEhkA7b3IKg2BSm4jbIqM1gCxla+32w30wTdgAvQ1kgrS8Dg8wvRcN1RjqBYActF1/Lsx3UKe94verXCFbE6qdHZ8FbN3w9p1pAEGKIvRRSMYVYfnW5a+iFeOT9q1AyEtjqlyTsIss2XJYD/GyWbU/aWXHPwPKmOLt6yMAoi49KvYjc12UAE3qEImM6GnJ/YfKZhjuJIVNDSH3Y4LC14Y5r17Ojem4WU2mIz3/TKk5mrAFLgiLtPmYVXa/BvJZZr7yJIvsvN6YQC2Hs+iDOr0a35cZluDuBYjCrnc34+9OK4kyl2lg2Madvcf1zv3hrVZUcWenqAQQdh/qlYhilqI21jggkmd/9UolQljBA5ozmdPjqk/hcjzcjoEkBR5I1nxS6x8pZzN+sgInHXByJCcX34wFtb8OSJ5gMJ6ULlj0XBXbN+HFtrEftHyVFk6xOz2/0Vgqntel7+t28jo+ozrqoqGxuFYao9b+zx9iQWj2xmqrl8uIzry5tkbVPCRi0EFOrnRF6ZMcATXsM+BfJL6pEjZ9sfGw2pKy+eV0gW6V0HVfKhY9YMoCHVsa48xZwXnuxf6O05wJTJUtN9XWQJYPUXRXH8piOlnofF5x2b6lKoTX/WMg5cUWpKbb++EGVtwVRXad/Ywnxx8VUD/gaNJk9BRlCiN6DX7qPyGle4ECAoS8ClqGOSTlT+IN8gxBLXkQXSMUP9GPdWsSBH8Q328VhPK2ucVLWC8xaliaNkInKlgfPEq2mCkK+NyWto41VRC/cCtCWwH3lNjzaIzuocWO4WtBMa/B4XsORH4EX8BGmljkePspfgAbpoS2Z8LdjMpfwM/BaIM3aoQ16pgGXiDiGugjsYMoA71nWIsV0pCSrnxk2KP6JhVT5tKxolNdTpfPFSLQ3w6+Wer/GakDm3vN0C65qDcjIqBT6SuLnWivVqFO253dgIqpiWy4l9eNjg8lWulMRVr4uR1NA=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4380.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 748808f9-a7b9-4087-8ad8-08d8e418b65c
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2021 23:03:26.2261 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YjhgTXeZvWD402iJWOrbd87CTdSBd/S/CCtgPPPk8Lk4/NILcD/VuooxFJj+eOdlTlCYFy/tsC7nDa3byCZlIjNjoWuE7RlEfR+C90SmQeA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2570
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-10_13:2021-03-10, 2021-03-10 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 adultscore=0 impostorscore=0 phishscore=0 mlxlogscore=999 malwarescore=0 mlxscore=0 suspectscore=0 spamscore=0 clxscore=1011 bulkscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103100111
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/xgmiJnYB08siE8JedKE4nOn_kU0>
Subject: Re: [lamps] Proposed recharter text
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2021 23:03:50 -0000

Hi Roman,

That tightened scope works for me as it covers what I have already submitted (draft-ounsworth-pq-composite-sigs) as well as the drafts I'm currently working on a -00 of.

A couple nits:

1. Worth a 5.b.0 about the format of public keys that can be used with the 5.b.1 and 5.b.2 mechanisms? 

One of the feedbacks I've received recently is to split composite public keys into its own draft and remove any keyUsage restrictions so that the composite public key format is separate from their usage in sigs, key exchange, public key encryption, etc (other than the restriction that a keyUsage applying to a composite key needs to apply to all component keys. No jamming a keyex and sig key into the same cert á la jumbo certs). This is currently in github here:

https://github.com/EntrustCorporation/draft-ounsworth-pq-composite-keys/blob/master/draft-ounsworth-pq-composite-keys.txt


2.
> using algorithm(s) vetted by the NIST PQ effort

Hybrid and dual mechanisms will likely be used for {RSA, PQ}, or {RSA, PQ1, PQ2}, or even {PQ1, PQ2}. In theory you could also do {RSA2048, RSA4096} or {RSA, ECC}, though I don't know why you would. Point is that they are not only for NIST PQ algs, but to combine traditional + PQ together.


3. 
> How confident are we that draft-ounsworth-pq-composite-sigs is the starting point we want (for just 5.b.1)?  

I am also curious about this :P

---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Roman Danyliw
Sent: March 10, 2021 4:32 PM
To: Benjamin Kaduk <kaduk@mit.edu>; Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>
Cc: LAMPS <spasm@ietf.org>
Subject: [EXTERNAL] Re: [lamps] Proposed recharter text

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
Hi!

> -----Original Message-----
> From: Benjamin Kaduk <kaduk@mit.edu>
> Sent: Wednesday, March 10, 2021 9:54 AM
> To: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>
> Cc: Roman Danyliw <rdd@cert.org>; LAMPS <spasm@ietf.org>
> Subject: Re: [lamps] Proposed recharter text
> 
> On Wed, Mar 10, 2021 at 02:26:36PM +0000, Salz, Rich wrote:
> > I am concerned about having to decide the hybrid/multi-signature 
> > issue NOW
> during the rechartering.  It's way too soon.  I think we need to 
> discuss the approaches in a technical context (i.e., as part of WG 
> discussions).  What's the best way to do that other than put vague words into a charter?
> 
> I think we've seen (other) WG charters that include discussion of a 
> topic to decide on an approach, with need to recharter to actually 
> produce spec documents on that topic.  Just one option of many, of course...

+1.  We don't need to have approved charter language to discuss a topic.  We can even discuss and work on drafts that might shape the plan or approach.  We just can't adopt them without a charter change.  I noted in an earlier email [2], we may actually find that as we decompose this problem, not all of it is appropriate to tackle in LAMPS.  Given some of the expressed uncertainty, we may also need to charter "this scope" (whatever it might be) in iterative "chunks".  Certainly, this creates some administrative overhead, but this shouldn't be too high.

In rereading the discussion and trying to answer my own questions [1] on what a tighter scope would be, let me test it with some replacement text:

OLD 5(b)
The specifications developed will enable PKIX and S/MIME protocols to support hybrid key establishment and dual signature mechanisms

TIGHTER SCOPE:
5.b.1 = Specification(s) for identifiers, formats and operational practices to enable dual signature operations using algorithm(s) vetted by the NIST PQ effort

5.b.2 = Specification(s) for identifiers, formats and operational practices to enable hybrid key establishment using the algorithms vetted by the NIST PQ effort and hybrid key establishment constructions defined in a revised SP 800-56C

For me "operational practices" could potentially cover generation, validation, verification, etc.  As written, what it would exclude is updating PKI-related protocols and getting into any work that modifies other protocols that might leverage this work.

How confident are we that draft-ounsworth-pq-composite-sigs is the starting point we want (for just 5.b.1)?  Not pointing to this document specifically, but if we had one we could point to as a starting point this would also help create the bounding box on the new work and satisfy the other LAMPS constraint of "and there is at least one sufficiently well specified approach to the update so that the working group can sensibly evaluate whether to adopt a proposal"

Regards,
Roman

[1] https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/spasm/rbcufPA13VfSRLBw41Sbb5bO-J0/__;!!FJ-Y8qCqXTj2!Nn4lhE32xGtdDKZPmTkG7WHMu1RrVn765f53RX6p7P1T1MUCGhF8qb-IOM5GHb5nHQ5baDe_rQ$
[2] https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/spasm/jxmWz7MxaShMEopwE-ZJfzsIbYY/__;!!FJ-Y8qCqXTj2!Nn4lhE32xGtdDKZPmTkG7WHMu1RrVn765f53RX6p7P1T1MUCGhF8qb-IOM5GHb5nHQ5xgZqFUg$ 

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!Nn4lhE32xGtdDKZPmTkG7WHMu1RrVn765f53RX6p7P1T1MUCGhF8qb-IOM5GHb5nHQ7jXlJoVg$

v2.23.0 | Report a Bug | By Email