IETF Logo Mail Archive

Re: [lamps] Current efforts in the direction of draft-truskovsky-lamps-pq-hybrid-x509?

Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 07 July 2023 17:57 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36770C151999 for <spasm@ietfa.amsl.com>; Fri, 7 Jul 2023 10:57:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5qHwn5C8ofX for <spasm@ietfa.amsl.com>; Fri, 7 Jul 2023 10:57:48 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2138.outbound.protection.outlook.com [40.107.220.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC17FC151997 for <spasm@ietf.org>; Fri, 7 Jul 2023 10:57:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jTqpZn12JGWyNi2wp4VGxUw6Z2bbpF3rs6yTt/9tdGJuvlkj1flS2fR69vfi9v0QYqO0ibjWeFBCnSzxmEasEQIEbkdzt7lVJJnnrj5IfduW+TA5V5gB8T+RrmGyL5NOabI17gEyXDD7bcwhhAkevRjM/gis/rgKlVLyZcaCntOcD/XBSDAX7SspJl7BV+iDOW4wSxPT3akZOUOFvB+rlTIZ08VQ5vv8WPSPkFfDh+AYuZ/RAWY2uL4YEJV3/S3qBflmBuYROmhgv92UBkB+uEI3e5tInUzgpHuyRYoCK130G4qGnI/yc7yROnQmDTvbVKn2A7/80cLZZ1HZ5xPbsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MP4sTkMPHzmMXW/YKUGXYyIh3NKep73UnLKscdFloO4=; b=XR5thW76wJw7zpxbuObyGzxoBryU1raEfJ4OR2sKNXFZo2Rg92zQuJeJXQnEKNBs/4hN7x1v1xsLrPeOCnlJF7EkzIJZbqG6PPn0av1o+RJFsJ9uTFWM6Y5uH/KP7vegOOGqCgBn0Jf5UaMH8pxjfeM00ExMFcXMrtZUQ/3Q1HG6pewacZmkGo/zW+jBe4Cclvwcjflnrr2qImbfpRMGT8jiV/CxU9u3QWb0L6I31dt5C4sWDTRxViCQiQ/17pGI81tHFkYmkf/G1cnhbfixKVwQVFXkTcqWqPL76MUfI42njjpc05FKvQxoZ+tGuJmHIAep3HAvVtScuEh9CtDH1Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MP4sTkMPHzmMXW/YKUGXYyIh3NKep73UnLKscdFloO4=; b=QtVSVIp5F3o0bBsPGjqAPJKcUM2m8Yp6tf12gaqvtOSCgsd94gEGkPOytWaCQrDTSpOa+95Wpg8nQIZv7Hd80UmI2xbTgFjzL3G7A7DgV2REj/q9A/967FMmYslmgu87ZO/vFtn2HueNVzqhoh2ee5+GNEpSb8vtMixehaayQR5wX4uVMV9WNd7nGvf1oYsMBNhRZ9EfAuuXLPIs8UI3ksBL/kbKJwrZ3FwpsMXwe7SmQi9c9Xw+GZnTGCNl8LdnRlrhEZGYdeE5GUfyXI7FjSBS5YWmHZs8X/2u7o4ugyMCcIgOmPDGWZGZPOIdPJkprGDaGH5+g+H6ZDXSqa5Z9w==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by SA1PR14MB4548.namprd14.prod.outlook.com (2603:10b6:806:1af::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6565.25; Fri, 7 Jul 2023 17:57:45 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::7949:5d68:8e14:bded]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::7949:5d68:8e14:bded%4]) with mapi id 15.20.6565.016; Fri, 7 Jul 2023 17:57:45 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Iyán Méndez Veiga <imendez@ethz.ch>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Current efforts in the direction of draft-truskovsky-lamps-pq-hybrid-x509?
Thread-Index: AQHZsNxDuVT0Ea78tUayHa/gLB9qO6+uk5AA
Date: Fri, 07 Jul 2023 17:57:45 +0000
Message-ID: <SN7PR14MB6492131663B6004B89B4E525832DA@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <7857448.9X9Kdy9spX@thinkpad>
In-Reply-To: <7857448.9X9Kdy9spX@thinkpad>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|SA1PR14MB4548:EE_
x-ms-office365-filtering-correlation-id: b94fc2bb-f024-4baa-c525-08db7f13ab17
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mJjJdMCXWwS6nmDVxukzuVMLTQnAs4cfLmDCKf6CeCD5QtLwpWbYHSrRA1TcNcGqa7YMdAXA2U4tqx9EfIpvhHZhPLmBl5UYbBVJgFAZaAxurWu25F5GS6q+BUTF+whZL0CvGpAAwLxpQQl4o4hTxKd/jQajZK8EMxjEmYb69lIvwxawokTgIk1UDbb0knyuFCFHAs4E4MC4UiHRDHpYoFbwO2asY+XNYTCnJmpX/kPX/h7Pek9d7rvVxmI68DmWnJcLzYeN/ns9zKs/9ZJQw1u1TUaZwQjN6ycNwKLDLL47spUUtDGHBb/eIWswWFExeguvrG0utstGXnSWZ6XmoCt84+RzMHCpO2OH6vx74CEIv+2GhiZ77lZmxhsdv9elzSVB2qBhv6VTXhFoCg3H9THFSr9MOwrwL3C9IJp/8vqPNWTu67x9i6EOodYWNFxd+6QP3BsCsBHgH5tnP4idylqTxMU1HGW1TieuUkrEd/EIWoQ21W9kfqCDSYXfYdrGoOes2zcyJPkAJqf1ECOBlT69Bh/bwtoyje+Wq1Cz0REN6SG8ggsOQNsFrQOS5F8kVUy1Fu7UE4Y0KCK3nbJCZl/ZIHGUNHffM+1aWxDBPFk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR14MB6492.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(396003)(376002)(366004)(346002)(136003)(39850400004)(451199021)(76116006)(66946007)(66556008)(66476007)(66446008)(64756008)(122000001)(38100700002)(186003)(86362001)(26005)(53546011)(6506007)(83380400001)(38070700005)(66574015)(33656002)(966005)(9686003)(478600001)(7696005)(71200400001)(55016003)(110136005)(44832011)(41300700001)(52536014)(5660300002)(8936002)(8676002)(2906002)(316002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 5oj+t4bv/Hbc/mqobpklGNROHqc3FdHK07CFz0iyZBe7bUSI+GA7z9bSipd0X498rkazLHrVvilAHT7+ZCPKk6ZFQUium+8cLInY2uP4BTDQGruI9OnGOmUZzE+3op6pP1RKbYo+GX7hZUJnwh8HlS9VH764cvTTgeZiSDW7Ot5Otmp6EFA6vXS/sy2+q1ToDrNHioHRwOTOsZ400nsdxv3baC/3As1m7QAtPG+K1okHKmffqg6QJvKGryeRC0/u2Mw/FnVh6G+7LpVQfUNojFhhk9cqhUS3zuyzOJtnQiNoNe0LyEtUvFlk0pa32AFoHtL/H1NXUth9bSXHpSo5Y5aNnoZuN4U0OBwdVm0AeDKARmNzMzVm1GXYXv7xGmOOcgxUTO0iYnEpt2850iAuZiEM20FwmT3wYd7PSK+ePwPTHK+7HPq95R0Kl/HAyNrlJv3ZVqEficO3VIKrb1T45LXXOWhRBSdAQDYi7RPN7Pn994cDeI9/Wm5evxd7R46An9e2xcf5x7QI+m8sYckswMTPMlR49OSkuiHecx56pAy5mqVvQld3Mw9z/DByFO5gQMKr2vjP60qO0RYEceaKTX2aO1bDIKcOChJmSUTzXuzZPm6iK7jOBjxt+JyU4Yf0uliv+c9sRcs+SYNLJhQ5/YBQNjWnqcxUaHcdrg447zclSKXxO398lqmlfWMrjk2E/5w28ZD3HrCRMuuI13pD9cZu9KYJtDO2P/XZw6XdwFJF4PJeHkf5bwQ7zekKpxy9mbGBbB6FCg/+DoE0i2dxCcKVPydL8auNEiSM9HBKsb0CVzpuC4WZ12u4Sy9DjCsrvLOGH5OGSKNQvM50mQYfgImTGU7F/v+lq3DaMWEFak741zYyidg3ihVttDRKsxKBHOlUKDHN6e4Crhh4dVLG5L2W1CagAmVom6dyyFVGfb5Y/uxPpuQzPxeIkgpJz23L5E84Q7LO9j1yNjCkFq3Ucv0pDlwSSPkoO/I6CawVb7MLpPJVETEMirkO6txM7TYq1hSL0YEeRh2iAyRKXxd1lIGEsPs8cFfx7hQWAmIckHxRwvaVJNhEwejKuunq3QFP5l71Sp1dSGviBXuHRayicm0Pm+IfPHnDQjzMszNkcs65dlVirxT5OJTtn53TxpA1TggOFWkwlCR8k94i3PzqXEqO5LZxIj3Gb6YRRVwDav2YOBzifGkpNQpHVEqYDKtx3tdHTJ8jx5aVmq0G4raTdDbcPo+4wxxM3mjh4qYimEktiw+mIDIzzOZM7KwJby5xkn8CqHlIiYFX/uLHP7EBMNIWMqF27Zhlo1danfOXeZjaEecUy2YCi0/FJXh2kQ1v+doiK8nnYS256Ar3jLeiY+UOZeg6/VkNcCXMASJzjcKjMeaApJ8tEg7zYHRLQzWiY3+cEyjudgSZQ5skpzQJfUCdfj0yCmYg1ENdG37Fd2/DUovJ6rv22di8iALFLkyB0f3scqs3Bz/m7Ybea12HrNftCblwh50q7LckaApWiCofwt6Puc7M9bAWZ6oe/NNlyC1jKW0BMZopFh55/uz9aN9/ZMTHFA6kkkBZbLr8ei/Jt/KHv9hccWuK/J5YIyFhWpb57SZ/NYzwNs3Hu01oLg==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b94fc2bb-f024-4baa-c525-08db7f13ab17
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2023 17:57:45.4455 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yrRBgWB2N/D/fgtqUbiJ+hnCKmDhwjhnWSy9Zf/nU6tyOP5Z7cKK4WpQto/i4RMEDi2jUCfd9qDg3XCC4QrMl5G++Y3MR6ysDdVfWn6EWtU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR14MB4548
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/yeGoYMR6KmIibEJg4l7kL1MzDiI>
Subject: Re: [lamps] Current efforts in the direction of draft-truskovsky-lamps-pq-hybrid-x509?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2023 17:57:53 -0000

DigiCert was very supportive of this approach in the past, but it has a bunch of
downsides that were discovered upon closer examination.  The IPR situation
also did not help.

The problem is that interoperating with existing systems doesn’t actually buy
you much, as you still pay the cost for transporting the large PQC keys.  That
means you pay a pretty high price early in the transition for only marginal
benefits in use cases where certificate size matters.

You can't effectively cache the PQC keys because that leaks information about
whether the site has been visited before, and it's difficult to use it in a mode
where you operate with both existing and new systems, because the requirement
to support existing systems makes downgrade attacks against the new systems
feasible.  You then need some policy mechanism to communicate which
systems need to be checking both keys/signatures, and which are allowed
to use just the default key, and all that infrastructure is about as complicated
as the infrastructure to manage two certs via policy or negotiation and just
use the appropriate single key cert.

Using two single key certificates does have its own certificate management
challenges, and those have recently started being discussed and explored.
But managing multiple keys via multiple certificates does seem to be more
straightforward, and does seem to be the consensus direction at this time.
Using chameleon certs is a clever idea that allows a single certificate to be
managed, but allows each component of the pair to be used individually.
But it's still a very, very new trick and could use more careful analysis.

Most of the recent work has focused on composite keys instead, where the
two keys are put together into a single key, which requires support for a new
"algorithm", but requires far fewer changes throughout the rest of certificate
management and tooling.  This provides most of the benefits hybrid was 
intended to provide (falling back to RSA instead of plaintext if the PQC 
algorithm fails), but in a form factor that's much more compatible with
existing software.

There's been some talk of refreshing / updating the hybrid draft, but 
nothing has come of it so far.  A lot of this is very much still a work in 
progress, and people are still figuring things out, so be prepared for things to 
change as the working group continues to try to figure out these important 
questions.

-Tim

> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Iyán Méndez Veiga
> Sent: Friday, July 7, 2023 10:05 AM
> To: spasm@ietf.org
> Subject: [lamps] Current efforts in the direction of draft-truskovsky-lamps-pq-
> hybrid-x509?
> 
> Hello,
> 
> I recently found the interesting draft-truskovsky-lamps-pq-hybrid-x509, which
> I think it would allow a much smoother PQC transition.
> 
> Unfortunately, the draft has expired some time ago, and I couldn't find any
> derivative work apart from a small reference by Mike that this was
> standardized by ITU-T [1]. I guess he was referring to section 7.2.2 of their
> X.509 (10/2019):
> 
> https://www.itu.int/rec/T-REC-X.509-201910-I
> 
> There was also some recent mention to the draft in the IETF 116 Hackathon
> "PQ Use in the Read world: X.509 Keys, signatures, certificates and protocols",
> but I couldn't find any details.
> 
> It was also pointed out to me [2] that this approach was protected by a patent
> owned by ISARA, but later it seems they relaxed this restriction [3].
> 
> DigiCert seems to be testing this idea as well [4].
> 
> Could anyone summarize to me the current status of this work? Why this draft
> never got updated? Are there any plans to continue working on this with an
> active draft?
> 
> People from the Open Quantum Safe project have shown interest in
> implementing this, since it's a good approach with a straightforward
> backwards compatibility, but since changes have to be made to OpenSSL as
> well, and I quote here "not having this at least in active Draft state at IETF
> makes this a non-starter".
> 
> Looking forward to learning more about the status of this work.
> 
> Best regards,
> Iyán
> 
> [1]: https://mailarchive.ietf.org/arch/msg/spasm/VJPJXLquDjEjEmRysiGrdsL-
> Nwc/
> [2]: https://github.com/open-quantum-safe/oqs-provider/discussions/209
> [3]: https://www.helpnetsecurity.com/2022/10/26/isara-digital-certificate-
> patents-quantum-security/
> [4]: https://docs.digicert.com/en/certcentral/certificate-tools/post-quantum-
> cryptography.html#idm45907393047856
> 
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email