I am not sure I understand what is being said below. The link to the PDF does not add to the message body.
If there is a concern about what signature algorithm is used for what type of subject key, X.509 already has that flexibility. If there is a concern about using multiple signatures on an X.509 certificate, one can use the single signature algorithm identifier to define multiple algorithms, parameters, and signatures. -----Original Message----- From: Spasm [mailto:spasm-boun...@ietf.org] On Behalf Of Liaison Statement Management Tool Sent: Wednesday, September 13, 2017 11:25 AM To: David Waltermire <david.walterm...@nist.gov>; Tero Kivinen <kivi...@iki.fi>; Russ Housley <hous...@vigilsec.com> Cc: Limited Additional Mechanisms for PKIX and SMIME Discussion List <sp...@ietf.org>; Eric Rescorla <e...@rtfm.com>; Russ Housley <hous...@vigilsec.com>; Tero Kivinen <kivi...@iki.fi>; Scott Mansfield <scott.mansfi...@ericsson.com>; IP Security Maintenance and Extensions Discussion List <ipsec@ietf.org>; Kathleen Moriarty <kathleen.moriarty.i...@gmail.com>; David Waltermire <david.walterm...@nist.gov>; itu-t-liai...@iab.org; jean-paul.lema...@univ-paris-diderot.fr Subject: [lamps] New Liaison Statement, "LS on ITU-T SG17 work on quantum-safe PKI" Title: LS on ITU-T SG17 work on quantum-safe PKI Submission Date: 2017-09-13 URL of the IETF Web page: https://datatracker.ietf.org/liaison/1541/ From: Jean-Paul Lemaire <jean-paul.lema...@univ-paris-diderot.fr> To: David Waltermire <david.walterm...@nist.gov>,Tero Kivinen <kivi...@iki.fi>,Russ Housley <hous...@vigilsec.com> Cc: David Waltermire <david.walterm...@nist.gov>,IP Security Maintenance and Extensions Discussion List <ipsec@ietf.org>,itu-t-liai...@iab.org,Limited Additional Mechanisms for PKIX and SMIME Discussion List <sp...@ietf.org>,Russ Housley <hous...@vigilsec.com>,Scott Mansfield <scott.mansfi...@ericsson.com>,Kathleen Moriarty <kathleen.moriarty.i...@gmail.com>,Tero Kivinen <kivi...@iki.fi>,Eric Rescorla <e...@rtfm.com> Response Contacts: jean-paul.lema...@univ-paris-diderot.fr Technical Contacts: Purpose: For information Body: ITU-T Study Group 17 is pleased to inform you that in our August/September 2017 meeting we agreed to start work on the inclusion of a proposal to include optional support for multiple public-key algorithms in Recommendation ITU-T X509 | ISO/IEC 9594-8. The industry is preparing ICT systems to be resistant to attacks by large-scale quantum computers in addition to more sophisticated attacks by conventional computing resources. Proposed was an optional feature to the X.509 certificate that provides a seamless migration capability to existing PKI systems, and is completely backwardly compatible with existing systems. While public-key key establishment algorithms are typically negotiated between peers and are generally fairly simple to update, the authentication systems typically rely on a single digital signature algorithm which are more difficult to update. This is because of the circular dependency between PKI-based identity systems and the dependent communication protocols. In order to update a PKI system, one would typically need to create a duplicate PKI system that utilizes a new digital signature algorithm and then migrate all the dependent systems one by one. This proposal eliminates the need to create such duplicate PKI systems by adding optional extensions to contain alternate public key and alternate signature, and a method for the CA to sign certificates using a layered approach to ensure that every attribute is authenticated by both signatures. The resulting certificate, while containing new quantum safe public key and signature, can still be used by existing systems relying on the classic public key and signature. Attachments: sp16-sg17-oLS-00068 https://www.ietf.org/lib/dt/documents/LIAISON/liaison-2017-09-13-itu-t-sg-17 -ipsecme-lamps-ls-on-itu-t-sg17-work-on-quantum-safe-pki-attachment-1.pdf _______________________________________________ Spasm mailing list sp...@ietf.org https://www.ietf.org/mailman/listinfo/spasm _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
