Re: [IPsec] [lamps] New Liaison Statement, "LS on ITU-T SG17 work on quantum-safe PKI"

2017-10-05 Thread Santosh Chokhani 
Hello Erik,

Since the parameters syntax and semantics for the AlgorithmIdentifier are 
defined by the OID, that flexibility can be used to encode multiple SPKI and 
signatures.

There are several ways to do it.  One example is for the parameters to be 
SEQUENCE OF AlgorithmIdentifier for the various algorithms covered by the SPKI 
and/or signature where you want multiple values.  There is more to it of course.

-Original Message-
From: Erik Andersen [mailto:e...@x500.eu] 
Sent: Wednesday, October 4, 2017 6:20 PM
To: 'Santosh Chokhani' <santosh.chokh...@gmail.com>; 'Alexander Truskovsky' 
<alexander.truskov...@isara.com>; david.walterm...@nist.gov; kivi...@iki.fi; 
hous...@vigilsec.com
Cc: ipsec@ietf.org; e...@rtfm.com; hous...@vigilsec.com; 
scott.mansfi...@ericsson.com; sp...@ietf.org; kathleen.moriarty.i...@gmail.com; 
itu-t-liai...@iab.org; jean-paul.lema...@univ-paris-diderot.fr
Subject: SV: [lamps] [IPsec] New Liaison Statement, "LS on ITU-T SG17 work on 
quantum-safe PKI"

Hi Santosh,

I do not understand your claim that you can have multiple public keys and 
signatures within the base structure of a certificate.

Erik

-Oprindelig meddelelse-
Fra: Spasm [mailto:spasm-boun...@ietf.org] På vegne af Santosh Chokhani
Sendt: 03 October 2017 22:49
Til: 'Alexander Truskovsky' <alexander.truskov...@isara.com>; 
david.walterm...@nist.gov; kivi...@iki.fi; hous...@vigilsec.com
Cc: ipsec@ietf.org; e...@rtfm.com; hous...@vigilsec.com; 
scott.mansfi...@ericsson.com; sp...@ietf.org; kathleen.moriarty.i...@gmail.com; 
itu-t-liai...@iab.org; jean-paul.lema...@univ-paris-diderot.fr
Emne: Re: [lamps] [IPsec] New Liaison Statement, "LS on ITU-T SG17 work on 
quantum-safe PKI"

Multiple public keys as well as signatures can be accommodated using the 
respective algorithm OIDs in Signature and SPKI fields.

Have you considered that in place of using an extension.

-Original Message-
From: Alexander Truskovsky [mailto:alexander.truskov...@isara.com] 
Sent: Tuesday, October 3, 2017 4:38 PM
To: santosh.chokh...@gmail.com; david.walterm...@nist.gov; kivi...@iki.fi; 
hous...@vigilsec.com
Cc: sp...@ietf.org; e...@rtfm.com; hous...@vigilsec.com; 
scott.mansfi...@ericsson.com; ipsec@ietf.org; kathleen.moriarty.i...@gmail.com; 
itu-t-liai...@iab.org; jean-paul.lema...@univ-paris-diderot.fr
Subject: Re: [IPsec] [lamps] New Liaison Statement, "LS on ITU-T SG17 work on 
quantum-safe PKI"

This allows X.509 certificates to contain two (or more) public keys and issuer 
signatures.  The goal would be to ease the migration of PKI and dependent 
protocols to new digital signature algorithms.  The motivation was to make the 
X.509 more cryptographically agile and simplify the migration to quantum-safe 
algorithms, but it is algorithm agnostic.  The main benefit of this proposal is 
that current systems will be able to use these newer X.509 certificates as they 
do today without any modifications, while systems that were updated to support 
quantum-safe algorithms can also be updated to understand the newer X.509 
format and use quantum-safe algorithm instead.

We are working on a draft that mirrors the ITU-T’s work with a few partners and 
will publish it for review soon.

Alex


On 2017-10-02, 9:58 PM, "IPsec on behalf of Santosh Chokhani" 
<ipsec-boun...@ietf.org on behalf of santosh.chokh...@gmail.com> wrote:

I am not sure I understand what is being said below.  The link to the 
PDF
does not add to the message body.

If there is a concern about what signature algorithm is used for what 
type
of subject key, X.509 already has that flexibility.

If there is a concern about using multiple signatures on an X.509
certificate, one can use the single signature algorithm identifier to 
define
multiple algorithms, parameters, and signatures.

-Original Message-
From: Spasm [mailto:spasm-boun...@ietf.org] On Behalf Of Liaison 
Statement
Management Tool
Sent: Wednesday, September 13, 2017 11:25 AM
To: David Waltermire <david.walterm...@nist.gov>; Tero Kivinen
<kivi...@iki.fi>; Russ Housley <hous...@vigilsec.com>
Cc: Limited Additional Mechanisms for PKIX and SMIME Discussion List
<sp...@ietf.org>; Eric Rescorla <e...@rtfm.com>; Russ Housley
<hous...@vigilsec.com>; Tero Kivinen <kivi...@iki.fi>; Scott Mansfield
<scott.mansfi...@ericsson.com>; IP Security Maintenance and Extensions
Discussion List <ipsec@ietf.org>; Kathleen Moriarty
<kathleen.moriarty.i...@gmail.com>; David Waltermire
<david.walterm...@nist.gov>; itu-t-liai...@iab.org;
jean-paul.lema...@univ-paris-diderot.fr
Subject: [lamps] New Liaison Statement, "LS on ITU-T SG17 work on
quantum-safe PKI&

Re: [IPsec] [lamps] New Liaison Statement, "LS on ITU-T SG17 work on quantum-safe PKI"

2017-10-04 Thread Erik Andersen 
Hi Santosh,

I do not understand your claim that you can have multiple public keys and 
signatures within the base structure of a certificate.

Erik

-Oprindelig meddelelse-
Fra: Spasm [mailto:spasm-boun...@ietf.org] På vegne af Santosh Chokhani
Sendt: 03 October 2017 22:49
Til: 'Alexander Truskovsky' <alexander.truskov...@isara.com>; 
david.walterm...@nist.gov; kivi...@iki.fi; hous...@vigilsec.com
Cc: ipsec@ietf.org; e...@rtfm.com; hous...@vigilsec.com; 
scott.mansfi...@ericsson.com; sp...@ietf.org; kathleen.moriarty.i...@gmail.com; 
itu-t-liai...@iab.org; jean-paul.lema...@univ-paris-diderot.fr
Emne: Re: [lamps] [IPsec] New Liaison Statement, "LS on ITU-T SG17 work on 
quantum-safe PKI"

Multiple public keys as well as signatures can be accommodated using the 
respective algorithm OIDs in Signature and SPKI fields.

Have you considered that in place of using an extension.

-Original Message-
From: Alexander Truskovsky [mailto:alexander.truskov...@isara.com] 
Sent: Tuesday, October 3, 2017 4:38 PM
To: santosh.chokh...@gmail.com; david.walterm...@nist.gov; kivi...@iki.fi; 
hous...@vigilsec.com
Cc: sp...@ietf.org; e...@rtfm.com; hous...@vigilsec.com; 
scott.mansfi...@ericsson.com; ipsec@ietf.org; kathleen.moriarty.i...@gmail.com; 
itu-t-liai...@iab.org; jean-paul.lema...@univ-paris-diderot.fr
Subject: Re: [IPsec] [lamps] New Liaison Statement, "LS on ITU-T SG17 work on 
quantum-safe PKI"

This allows X.509 certificates to contain two (or more) public keys and issuer 
signatures.  The goal would be to ease the migration of PKI and dependent 
protocols to new digital signature algorithms.  The motivation was to make the 
X.509 more cryptographically agile and simplify the migration to quantum-safe 
algorithms, but it is algorithm agnostic.  The main benefit of this proposal is 
that current systems will be able to use these newer X.509 certificates as they 
do today without any modifications, while systems that were updated to support 
quantum-safe algorithms can also be updated to understand the newer X.509 
format and use quantum-safe algorithm instead.

We are working on a draft that mirrors the ITU-T’s work with a few partners and 
will publish it for review soon.

Alex


On 2017-10-02, 9:58 PM, "IPsec on behalf of Santosh Chokhani" 
<ipsec-boun...@ietf.org on behalf of santosh.chokh...@gmail.com> wrote:

I am not sure I understand what is being said below.  The link to the 
PDF
does not add to the message body.

If there is a concern about what signature algorithm is used for what 
type
of subject key, X.509 already has that flexibility.

If there is a concern about using multiple signatures on an X.509
certificate, one can use the single signature algorithm identifier to 
define
multiple algorithms, parameters, and signatures.

-Original Message-
From: Spasm [mailto:spasm-boun...@ietf.org] On Behalf Of Liaison 
Statement
Management Tool
Sent: Wednesday, September 13, 2017 11:25 AM
To: David Waltermire <david.walterm...@nist.gov>; Tero Kivinen
<kivi...@iki.fi>; Russ Housley <hous...@vigilsec.com>
Cc: Limited Additional Mechanisms for PKIX and SMIME Discussion List
<sp...@ietf.org>; Eric Rescorla <e...@rtfm.com>; Russ Housley
<hous...@vigilsec.com>; Tero Kivinen <kivi...@iki.fi>; Scott Mansfield
<scott.mansfi...@ericsson.com>; IP Security Maintenance and Extensions
Discussion List <ipsec@ietf.org>; Kathleen Moriarty
<kathleen.moriarty.i...@gmail.com>; David Waltermire
<david.walterm...@nist.gov>; itu-t-liai...@iab.org;
jean-paul.lema...@univ-paris-diderot.fr
Subject: [lamps] New Liaison Statement, "LS on ITU-T SG17 work on
quantum-safe PKI"

Title: LS on ITU-T SG17 work on quantum-safe PKI Submission Date: 
2017-09-13
URL of the IETF Web page: https://datatracker.ietf.org/liaison/1541/

From: Jean-Paul Lemaire <jean-paul.lema...@univ-paris-diderot.fr>
To: David Waltermire <david.walterm...@nist.gov>,Tero Kivinen
<kivi...@iki.fi>,Russ Housley <hous...@vigilsec.com>
Cc: David Waltermire <david.walterm...@nist.gov>,IP Security 
Maintenance and
Extensions Discussion List 
<ipsec@ietf.org>,itu-t-liai...@iab.org,Limited
Additional Mechanisms for PKIX and SMIME Discussion List
<sp...@ietf.org>,Russ Housley <hous...@vigilsec.com>,Scott Mansfield
<scott.mansfi...@ericsson.com>,Kathleen Moriarty
<kathleen.moriarty.i...@gmail.com>,Tero Kivinen <kivi...@iki.fi>,Eric
Rescorla <e...@rtfm.com> Response Contacts:
jean-paul.lema...@univ-paris-diderot.fr
Techni

Re: [IPsec] [lamps] New Liaison Statement, "LS on ITU-T SG17 work on quantum-safe PKI"

2017-10-04 Thread Alexander Truskovsky 
Thank you for your comment. 

We tried it on unmodified Firefox/Chrome/Safari on the front end and unmodified 
Apache (OpenSSL/NSS) on the back end using a certificate chain containing 
RSA+LMS keys/signatures.  In all cases a ciphersuited using RSA for 
authentication was negotiated and the connection was successfully established, 
even in the case of Chrome/Safari where we had to inject the root certificate 
in to the OS’s trusted key store (Apple Keychain in this case).  In the classic 
use case, the extra key and signature is not used.

In the updated server case, upon startup the server checks the certificate and 
enables xx_RSA_xx and xx_LMS_xx cipher suites.  It negotiates xx_RSA_xx cipher 
suite with an unmodified client and proceeds just like in the unmodified case 
above.  With a modified client, it negotiates xx_LMS_xx cipher suite, sends the 
same certificate chain but signs the DH keys using LMS private key instead of 
RSA.  The modified client “peels the outer classic signature off” and verified 
the inner quantum-safe signature (on all the certificate fields minus the 
classic signature field) all the way up the chain.  It then uses the 
quantum-safe public key to verify the signature on the DH keys.

Alex


On 2017-10-03, 8:58 PM, "Stephen Farrell"  wrote:


Hiya,

On 03/10/17 21:38, Alexander Truskovsky wrote:
> This allows X.509 certificates to contain two (or more) public keys
> and issuer signatures.  The goal would be to ease the migration of
> PKI and dependent protocols to new digital signature algorithms.  The
> motivation was to make the X.509 more cryptographically agile and
> simplify the migration to quantum-safe algorithms, but it is
> algorithm agnostic.  The main benefit of this proposal is that
> current systems will be able to use these newer X.509 certificates as
> they do today without any modifications, while systems that were
> updated to support quantum-safe algorithms can also be updated to
> understand the newer X.509 format and use quantum-safe algorithm
> instead.

I don't believe the "without any modifications" claim. If that
were true, then the additional (hopefully) quantum-safe keys or
signatures would be mere chaff.

I do wonder though if it could be that the advent of a desire
for post-quantum signatures is the straw that breaks the X.509
camel's back. For example, with a view to making X.509-based
PKI evolution end up sufficiently more expensive compared to
displacing X.509 entirely. It'll be fun to see what happens
as things pan out.

One reason that that might be the case is that the

S.


> 
> We are working on a draft that mirrors the ITU-T’s work with a few
> partners and will publish it for review soon.
> 
> Alex
> 
> 
> On 2017-10-02, 9:58 PM, "IPsec on behalf of Santosh Chokhani"
> 
> wrote:
> 
> I am not sure I understand what is being said below.  The link to the
> PDF does not add to the message body.
> 
> If there is a concern about what signature algorithm is used for what
> type of subject key, X.509 already has that flexibility.
> 
> If there is a concern about using multiple signatures on an X.509 
> certificate, one can use the single signature algorithm identifier to
> define multiple algorithms, parameters, and signatures.
> 
> -Original Message- From: Spasm
> [mailto:spasm-boun...@ietf.org] On Behalf Of Liaison Statement 
> Management Tool Sent: Wednesday, September 13, 2017 11:25 AM To:
> David Waltermire ; Tero Kivinen 
> ; Russ Housley  Cc: Limited
> Additional Mechanisms for PKIX and SMIME Discussion List 
> ; Eric Rescorla ; Russ Housley 
> ; Tero Kivinen ; Scott
> Mansfield ; IP Security Maintenance and
> Extensions Discussion List ; Kathleen Moriarty 
> ; David Waltermire 
> ; itu-t-liai...@iab.org; 
> jean-paul.lema...@univ-paris-diderot.fr Subject: [lamps] New Liaison
> Statement, "LS on ITU-T SG17 work on quantum-safe PKI"
> 
> Title: LS on ITU-T SG17 work on quantum-safe PKI Submission Date:
> 2017-09-13 URL of the IETF Web page:
> https://datatracker.ietf.org/liaison/1541/
> 
> From: Jean-Paul Lemaire  To:
> David Waltermire ,Tero Kivinen 
> ,Russ Housley  Cc: David
> Waltermire ,IP Security Maintenance and 
> Extensions Discussion List
>

Re: [IPsec] [lamps] New Liaison Statement, "LS on ITU-T SG17 work on quantum-safe PKI"

2017-10-03 Thread Stephen Farrell 

Hiya,

On 03/10/17 21:38, Alexander Truskovsky wrote:
> This allows X.509 certificates to contain two (or more) public keys
> and issuer signatures.  The goal would be to ease the migration of
> PKI and dependent protocols to new digital signature algorithms.  The
> motivation was to make the X.509 more cryptographically agile and
> simplify the migration to quantum-safe algorithms, but it is
> algorithm agnostic.  The main benefit of this proposal is that
> current systems will be able to use these newer X.509 certificates as
> they do today without any modifications, while systems that were
> updated to support quantum-safe algorithms can also be updated to
> understand the newer X.509 format and use quantum-safe algorithm
> instead.

I don't believe the "without any modifications" claim. If that
were true, then the additional (hopefully) quantum-safe keys or
signatures would be mere chaff.

I do wonder though if it could be that the advent of a desire
for post-quantum signatures is the straw that breaks the X.509
camel's back. For example, with a view to making X.509-based
PKI evolution end up sufficiently more expensive compared to
displacing X.509 entirely. It'll be fun to see what happens
as things pan out.

One reason that that might be the case is that the

S.


> 
> We are working on a draft that mirrors the ITU-T’s work with a few
> partners and will publish it for review soon.
> 
> Alex
> 
> 
> On 2017-10-02, 9:58 PM, "IPsec on behalf of Santosh Chokhani"
> 
> wrote:
> 
> I am not sure I understand what is being said below.  The link to the
> PDF does not add to the message body.
> 
> If there is a concern about what signature algorithm is used for what
> type of subject key, X.509 already has that flexibility.
> 
> If there is a concern about using multiple signatures on an X.509 
> certificate, one can use the single signature algorithm identifier to
> define multiple algorithms, parameters, and signatures.
> 
> -Original Message- From: Spasm
> [mailto:spasm-boun...@ietf.org] On Behalf Of Liaison Statement 
> Management Tool Sent: Wednesday, September 13, 2017 11:25 AM To:
> David Waltermire ; Tero Kivinen 
> ; Russ Housley  Cc: Limited
> Additional Mechanisms for PKIX and SMIME Discussion List 
> ; Eric Rescorla ; Russ Housley 
> ; Tero Kivinen ; Scott
> Mansfield ; IP Security Maintenance and
> Extensions Discussion List ; Kathleen Moriarty 
> ; David Waltermire 
> ; itu-t-liai...@iab.org; 
> jean-paul.lema...@univ-paris-diderot.fr Subject: [lamps] New Liaison
> Statement, "LS on ITU-T SG17 work on quantum-safe PKI"
> 
> Title: LS on ITU-T SG17 work on quantum-safe PKI Submission Date:
> 2017-09-13 URL of the IETF Web page:
> https://datatracker.ietf.org/liaison/1541/
> 
> From: Jean-Paul Lemaire  To:
> David Waltermire ,Tero Kivinen 
> ,Russ Housley  Cc: David
> Waltermire ,IP Security Maintenance and 
> Extensions Discussion List
> ,itu-t-liai...@iab.org,Limited Additional Mechanisms
> for PKIX and SMIME Discussion List ,Russ Housley
> ,Scott Mansfield 
> ,Kathleen Moriarty 
> ,Tero Kivinen
> ,Eric Rescorla  Response Contacts: 
> jean-paul.lema...@univ-paris-diderot.fr Technical Contacts: Purpose:
> For information
> 
> Body: ITU-T Study Group 17 is pleased to inform you that in our 
> August/September 2017 meeting we agreed to start work on the
> inclusion of a proposal to include optional support for multiple
> public-key algorithms in Recommendation ITU-T X509 | ISO/IEC 9594-8.
> 
> The industry is preparing ICT systems to be resistant to attacks by 
> large-scale quantum computers in addition to more sophisticated
> attacks by conventional computing resources. Proposed was an optional
> feature to the X.509 certificate that provides a seamless migration
> capability to existing PKI systems, and is completely backwardly
> compatible with existing systems.
> 
> While public-key key establishment algorithms are typically
> negotiated between peers and are generally fairly simple to update,
> the authentication systems typically rely on a single digital
> signature algorithm which are more difficult to update. This is
> because of the circular dependency between PKI-based identity systems
> and the dependent communication protocols. In order to update a PKI
> system, one would typically need to create a duplicate PKI system
> that utilizes a new digital signature algorithm and then migrate all
> the

Re: [IPsec] [lamps] New Liaison Statement, "LS on ITU-T SG17 work on quantum-safe PKI"

2017-10-03 Thread Alexander Truskovsky 
Thank you for your comment.

We want to ensure the existing systems can use these newer certificates as if 
nothing changed.  That’s the key requirement.  If the Signature field is 
modified, the systems that have not been updated will not be able to use 
classic algorithms as they do today.  Placing signatures in the non-critical 
extensions leaves the Signature field untouched.

Alex

On 2017-10-03, 4:48 PM, "Santosh Chokhani" <santosh.chokh...@gmail.com> wrote:

Multiple public keys as well as signatures can be accommodated using the 
respective algorithm OIDs in Signature and SPKI fields.

Have you considered that in place of using an extension.

-Original Message-
From: Alexander Truskovsky [mailto:alexander.truskov...@isara.com] 
Sent: Tuesday, October 3, 2017 4:38 PM
To: santosh.chokh...@gmail.com; david.walterm...@nist.gov; kivi...@iki.fi; 
hous...@vigilsec.com
Cc: sp...@ietf.org; e...@rtfm.com; hous...@vigilsec.com; 
scott.mansfi...@ericsson.com; ipsec@ietf.org; kathleen.moriarty.i...@gmail.com; 
itu-t-liai...@iab.org; jean-paul.lema...@univ-paris-diderot.fr
    Subject: Re: [IPsec] [lamps] New Liaison Statement, "LS on ITU-T SG17 work 
on quantum-safe PKI"

This allows X.509 certificates to contain two (or more) public keys and 
issuer signatures.  The goal would be to ease the migration of PKI and 
dependent protocols to new digital signature algorithms.  The motivation was to 
make the X.509 more cryptographically agile and simplify the migration to 
quantum-safe algorithms, but it is algorithm agnostic.  The main benefit of 
this proposal is that current systems will be able to use these newer X.509 
certificates as they do today without any modifications, while systems that 
were updated to support quantum-safe algorithms can also be updated to 
understand the newer X.509 format and use quantum-safe algorithm instead.

We are working on a draft that mirrors the ITU-T’s work with a few partners 
and will publish it for review soon.

Alex


On 2017-10-02, 9:58 PM, "IPsec on behalf of Santosh Chokhani" 
<ipsec-boun...@ietf.org on behalf of santosh.chokh...@gmail.com> wrote:

I am not sure I understand what is being said below.  The link to 
the PDF
does not add to the message body.

If there is a concern about what signature algorithm is used for 
what type
of subject key, X.509 already has that flexibility.

If there is a concern about using multiple signatures on an X.509
certificate, one can use the single signature algorithm identifier 
to define
multiple algorithms, parameters, and signatures.

-Original Message-
From: Spasm [mailto:spasm-boun...@ietf.org] On Behalf Of Liaison 
Statement
Management Tool
Sent: Wednesday, September 13, 2017 11:25 AM
To: David Waltermire <david.walterm...@nist.gov>; Tero Kivinen
<kivi...@iki.fi>; Russ Housley <hous...@vigilsec.com>
Cc: Limited Additional Mechanisms for PKIX and SMIME Discussion List
<sp...@ietf.org>; Eric Rescorla <e...@rtfm.com>; Russ Housley
<hous...@vigilsec.com>; Tero Kivinen <kivi...@iki.fi>; Scott 
Mansfield
<scott.mansfi...@ericsson.com>; IP Security Maintenance and 
Extensions
Discussion List <ipsec@ietf.org>; Kathleen Moriarty
<kathleen.moriarty.i...@gmail.com>; David Waltermire
<david.walterm...@nist.gov>; itu-t-liai...@iab.org;
jean-paul.lema...@univ-paris-diderot.fr
Subject: [lamps] New Liaison Statement, "LS on ITU-T SG17 work on
quantum-safe PKI"

Title: LS on ITU-T SG17 work on quantum-safe PKI Submission Date: 
2017-09-13
URL of the IETF Web page: https://datatracker.ietf.org/liaison/1541/

From: Jean-Paul Lemaire <jean-paul.lema...@univ-paris-diderot.fr>
To: David Waltermire <david.walterm...@nist.gov>,Tero Kivinen
<kivi...@iki.fi>,Russ Housley <hous...@vigilsec.com>
Cc: David Waltermire <david.walterm...@nist.gov>,IP Security 
Maintenance and
Extensions Discussion List 
<ipsec@ietf.org>,itu-t-liai...@iab.org,Limited
Additional Mechanisms for PKIX and SMIME Discussion List
<sp...@ietf.org>,Russ Housley <hous...@vigilsec.com>,Scott Mansfield
<scott.mansfi...@ericsson.com>,Kathleen Moriarty
<kathleen.moriarty.i...@gmail.com>,Tero Kivinen 
<kivi...@iki.fi>,Eric
Rescorla <e...@rtfm.com> Response Contacts:
jean-paul.lema...@univ-paris-diderot.fr

Re: [IPsec] [lamps] New Liaison Statement, "LS on ITU-T SG17 work on quantum-safe PKI"

2017-10-03 Thread Santosh Chokhani 
Multiple public keys as well as signatures can be accommodated using the 
respective algorithm OIDs in Signature and SPKI fields.

Have you considered that in place of using an extension.

-Original Message-
From: Alexander Truskovsky [mailto:alexander.truskov...@isara.com] 
Sent: Tuesday, October 3, 2017 4:38 PM
To: santosh.chokh...@gmail.com; david.walterm...@nist.gov; kivi...@iki.fi; 
hous...@vigilsec.com
Cc: sp...@ietf.org; e...@rtfm.com; hous...@vigilsec.com; 
scott.mansfi...@ericsson.com; ipsec@ietf.org; kathleen.moriarty.i...@gmail.com; 
itu-t-liai...@iab.org; jean-paul.lema...@univ-paris-diderot.fr
Subject: Re: [IPsec] [lamps] New Liaison Statement, "LS on ITU-T SG17 work on 
quantum-safe PKI"

This allows X.509 certificates to contain two (or more) public keys and issuer 
signatures.  The goal would be to ease the migration of PKI and dependent 
protocols to new digital signature algorithms.  The motivation was to make the 
X.509 more cryptographically agile and simplify the migration to quantum-safe 
algorithms, but it is algorithm agnostic.  The main benefit of this proposal is 
that current systems will be able to use these newer X.509 certificates as they 
do today without any modifications, while systems that were updated to support 
quantum-safe algorithms can also be updated to understand the newer X.509 
format and use quantum-safe algorithm instead.

We are working on a draft that mirrors the ITU-T’s work with a few partners and 
will publish it for review soon.

Alex


On 2017-10-02, 9:58 PM, "IPsec on behalf of Santosh Chokhani" 
<ipsec-boun...@ietf.org on behalf of santosh.chokh...@gmail.com> wrote:

I am not sure I understand what is being said below.  The link to the 
PDF
does not add to the message body.

If there is a concern about what signature algorithm is used for what 
type
of subject key, X.509 already has that flexibility.

If there is a concern about using multiple signatures on an X.509
certificate, one can use the single signature algorithm identifier to 
define
multiple algorithms, parameters, and signatures.

-Original Message-
From: Spasm [mailto:spasm-boun...@ietf.org] On Behalf Of Liaison 
Statement
Management Tool
Sent: Wednesday, September 13, 2017 11:25 AM
To: David Waltermire <david.walterm...@nist.gov>; Tero Kivinen
<kivi...@iki.fi>; Russ Housley <hous...@vigilsec.com>
Cc: Limited Additional Mechanisms for PKIX and SMIME Discussion List
<sp...@ietf.org>; Eric Rescorla <e...@rtfm.com>; Russ Housley
<hous...@vigilsec.com>; Tero Kivinen <kivi...@iki.fi>; Scott Mansfield
<scott.mansfi...@ericsson.com>; IP Security Maintenance and Extensions
Discussion List <ipsec@ietf.org>; Kathleen Moriarty
<kathleen.moriarty.i...@gmail.com>; David Waltermire
<david.walterm...@nist.gov>; itu-t-liai...@iab.org;
jean-paul.lema...@univ-paris-diderot.fr
Subject: [lamps] New Liaison Statement, "LS on ITU-T SG17 work on
quantum-safe PKI"

Title: LS on ITU-T SG17 work on quantum-safe PKI Submission Date: 
2017-09-13
URL of the IETF Web page: https://datatracker.ietf.org/liaison/1541/

From: Jean-Paul Lemaire <jean-paul.lema...@univ-paris-diderot.fr>
To: David Waltermire <david.walterm...@nist.gov>,Tero Kivinen
<kivi...@iki.fi>,Russ Housley <hous...@vigilsec.com>
Cc: David Waltermire <david.walterm...@nist.gov>,IP Security 
Maintenance and
Extensions Discussion List 
<ipsec@ietf.org>,itu-t-liai...@iab.org,Limited
Additional Mechanisms for PKIX and SMIME Discussion List
<sp...@ietf.org>,Russ Housley <hous...@vigilsec.com>,Scott Mansfield
<scott.mansfi...@ericsson.com>,Kathleen Moriarty
<kathleen.moriarty.i...@gmail.com>,Tero Kivinen <kivi...@iki.fi>,Eric
Rescorla <e...@rtfm.com> Response Contacts:
jean-paul.lema...@univ-paris-diderot.fr
Technical Contacts: 
Purpose: For information

Body: ITU-T Study Group 17 is pleased to inform you that in our
August/September 2017 meeting we agreed to start work on the inclusion 
of a
proposal to include optional support for multiple public-key algorithms 
in
Recommendation ITU-T X509 | ISO/IEC 9594-8.

The industry is preparing ICT systems to be resistant to attacks by
large-scale quantum computers in addition to more sophisticated attacks 
by
conventional computing resources. Proposed was an optional feature to 
the
X.509 certificate that provides a seamless migration capability to 
existing
PKI systems, and is completely

Re: [IPsec] [lamps] New Liaison Statement, "LS on ITU-T SG17 work on quantum-safe PKI"

2017-10-02 Thread Santosh Chokhani 
I am not sure I understand what is being said below.  The link to the PDF
does not add to the message body.

If there is a concern about what signature algorithm is used for what type
of subject key, X.509 already has that flexibility.

If there is a concern about using multiple signatures on an X.509
certificate, one can use the single signature algorithm identifier to define
multiple algorithms, parameters, and signatures.

-Original Message-
From: Spasm [mailto:spasm-boun...@ietf.org] On Behalf Of Liaison Statement
Management Tool
Sent: Wednesday, September 13, 2017 11:25 AM
To: David Waltermire ; Tero Kivinen
; Russ Housley 
Cc: Limited Additional Mechanisms for PKIX and SMIME Discussion List
; Eric Rescorla ; Russ Housley
; Tero Kivinen ; Scott Mansfield
; IP Security Maintenance and Extensions
Discussion List ; Kathleen Moriarty
; David Waltermire
; itu-t-liai...@iab.org;
jean-paul.lema...@univ-paris-diderot.fr
Subject: [lamps] New Liaison Statement, "LS on ITU-T SG17 work on
quantum-safe PKI"

Title: LS on ITU-T SG17 work on quantum-safe PKI Submission Date: 2017-09-13
URL of the IETF Web page: https://datatracker.ietf.org/liaison/1541/

From: Jean-Paul Lemaire 
To: David Waltermire ,Tero Kivinen
,Russ Housley 
Cc: David Waltermire ,IP Security Maintenance and
Extensions Discussion List ,itu-t-liai...@iab.org,Limited
Additional Mechanisms for PKIX and SMIME Discussion List
,Russ Housley ,Scott Mansfield
,Kathleen Moriarty
,Tero Kivinen ,Eric
Rescorla  Response Contacts:
jean-paul.lema...@univ-paris-diderot.fr
Technical Contacts: 
Purpose: For information

Body: ITU-T Study Group 17 is pleased to inform you that in our
August/September 2017 meeting we agreed to start work on the inclusion of a
proposal to include optional support for multiple public-key algorithms in
Recommendation ITU-T X509 | ISO/IEC 9594-8.

The industry is preparing ICT systems to be resistant to attacks by
large-scale quantum computers in addition to more sophisticated attacks by
conventional computing resources. Proposed was an optional feature to the
X.509 certificate that provides a seamless migration capability to existing
PKI systems, and is completely backwardly compatible with existing systems.

While public-key key establishment algorithms are typically negotiated
between peers and are generally fairly simple to update, the authentication
systems typically rely on a single digital signature algorithm which are
more difficult to update. This is because of the circular dependency between
PKI-based identity systems and the dependent communication protocols. In
order to update a PKI system, one would typically need to create a duplicate
PKI system that utilizes a new digital signature algorithm and then migrate
all the dependent systems one by one.

This proposal eliminates the need to create such duplicate PKI systems by
adding optional extensions to contain alternate public key and alternate
signature, and a method for the CA to sign certificates using a layered
approach to ensure that every attribute is authenticated by both signatures.
The resulting certificate, while containing new quantum safe public key and
signature, can still be used by existing systems relying on the classic
public key and signature.
Attachments:

sp16-sg17-oLS-00068
 
https://www.ietf.org/lib/dt/documents/LIAISON/liaison-2017-09-13-itu-t-sg-17
-ipsecme-lamps-ls-on-itu-t-sg17-work-on-quantum-safe-pki-attachment-1.pdf

___
Spasm mailing list
sp...@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec