A new IETF WG has been proposed in the Security Area. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list ([email protected]) by 2025-12-28.
PKI, Logs, And Tree Signatures (plants) ----------------------------------------------------------------------- Current status: BOF WG Chairs: Russ Housley <[email protected]> Thom Wiggers <[email protected]> Assigned Area Director: Deb Cooley <[email protected]> Security Area Directors: Paul Wouters <[email protected]> Deb Cooley <[email protected]> Mailing list: Address: [email protected] To subscribe: https://www.ietf.org/mailman/listinfo/plants Archive: https://mailarchive.ietf.org/arch/browse/plants Group page: https://datatracker.ietf.org/group/plants/ Charter: https://datatracker.ietf.org/doc/charter-ietf-plants/ The goal of the PLANTS Working Group is to trim the costs of large post-quantum signatures on PKIs with Certificate Transparency (CT; RFC 6962 and RFC 9162), when used in interactive protocols like TLS (RFC 8446). While the size of post-quantum signatures is a major motivation, nothing in the architecture will prevent the resulting standards from being used with traditional signatures. Today, such applications apply two separate systems: a certification authority (CA) signs individual bindings between public keys and application identifiers (e.g., a DNS name), returning an X.509 certificate. CT logs then include entire certificates, providing signed certificate timestamps. The outputs of these two systems are presented to the relying party. Overhead from post-quantum signatures and keys will add significant costs in multiple ways: - Each log entry contains an entire certificate, with public key and signature. Post-quantum overhead is multiplied across every entry, increasing the costs to log operators and the rest of the transparency ecosystem. - Relying parties are presented with signatures from the CA and CT logs. Post-quantum overhead is multiplied per signature, increasing the size and latency of the TLS handshake. - More entities are requesting certificates, and certificate validity windows are narrowing, both of which increase the overall size of a CT log, with corresponding costs for log operators. The PLANTS Working Group will define a mechanism that integrates log construction into certificate issuance, and reduces the amount of data in individual log entries and the TLS handshake. Integrating the log into certificate issuance enables techniques where one signature can cover multiple key/identifier bindings, e.g. by signing Merkle Tree hashes. The Working Group will define (put down roots) the mechanisms needed to construct and consume certificates in an interoperable way: - An extensible and externally monitorable transparency log structure, maintained by a CA, containing the key/identifier bindings that the CA has certified. - Certificate constructions to prove to relying parties that a binding is both in the CA's view of the log and externally monitorable. - How the certificate constructions may be provisioned (with mechanisms including ACME (RFC 8555)) and used in TLS. As part of this work, the Working Group may extend PKIX (RFC 5280), e.g., with new extensions or signature algorithms. As appropriate, the PLANTS Working Group will liaise with the LAMPS Working Group to ensure adequate lighting for this work and help it grow. As needed, the Working Group may also define extensions to ACME and TLS to integrate its certificate constructions. In doing so, it is expected to liaise with the TLS and ACME Working Groups for cross-pollination. Although out of scope currently, the PLANTS Working Group may consider a recharter in the future to seed secondary deliverables that build on the initial work. If feasible and concrete improvements are identified, there are other properties of transparent PKIs that could improve upon the status quo, such as auditing, monitoring, or revocation. In evaluating decisions and design tradeoffs, the Working Group will consider security, privacy, transparency, performance, and deployment properties, aiming to comparably meet the needs of today's applications that use CT-based PKIs with TLS. In particular the WG will deliver a design that can ensure that a misbehavior by a single party cannot compromise transparency for relying parties. The Working Group may consider and explain how these mechanisms could be adapted for deployment in a private or limited scope PKI (potentially without transparency) as a secondary use case. The PLANTS Working Group's scope is to explore mechanisms for CAs and transparency ecosystems to certify key/identifier bindings in a publicly monitorable way. Alternate trust models and changes to how TLS uses the end-entity key are not in scope for the Working Group. The Working Group will not submit specifications for publication to the IESG before demonstrating two interoperable implementations. Milestones: Jul 2026 - Submit an informational architecture document describing taxonomy, information flows, and use cases. Nov 2026 - Submit a standards document defining the mechanism described in the charter. _______________________________________________ IETF-Announce mailing list -- [email protected] To unsubscribe send an email to [email protected]
