Use of the HSS/LMS Hash-Based Signature Algorithm in the Cryptographic Message Syntax (CMS)
draft-ietf-lamps-cms-hash-sig-10

[Ballot comment]
Hi

thank you for this document.

  There have been recent advances in cryptanalysis and advances in the
  development of quantum computers.  Each of these advances pose a
  threat to widely deployed digital signature algorithms.

  Recent advances in cryptoanalysis [BH2013] and progress in the
  development of quantum computers [NAS2019] pose a threat to widely
  deployed digital signature algorithms. 

looks redundant.

-m

[Ballot discuss]
Two fairly minor points that should be easy to resolve, but seem to be
worth some time:

I think we need to be a bit more clear about what exactly the contents
of the signature OCTET STRING are.  Section 3 has a fairly abstract note
about including enough information to be self-describing (within the
HSS/LMS variants), and Section 5 does better with "the single HSS
signature value resulting from the signing operation as specified in
[HASHSIG]", but it doesn't seem too burdensome to say something like
"the string returned from Algorithm 3 in [RFC8554]" or even refer back
to the description language at the end of Section 2 and avoid any
confusion.

Section 5 has a "MUST" for using the same hash for the CMS
digestAlgorithm and the HSS/LMS tree, but Section 6 only has a "SHOULD"
for the message-digest attribute's digest and the signed attributes
digest (the latter of which MUST be the HSS/LMS hash per the previous);
should these two requirements be at the same level of normativity?  I'm
not sure why the one would be more important for correct operation than
the other.

[Ballot comment]
Section 1

  based digital signature, and it is described in [HASHSIG].  The
  HSS/LMS signature algorithm can only be used for a fixed number of
  signing operations.  [...]

nit: with a given key

  use.  A post-quantum cryptosystem [PQC] is a system that is secure
  against quantum computers that have more than a trivial number of
  quantum bits (qu-bits).  It is open to conjecture when it will be

nit(?): I'm much more used to seeing "q-bits" or "qbits" than "qu-bits".

Section 2.2

It's a bit unfortunate that we have to mix 0- (signed public keys) and
1-based (tree nodes) indexing, but it seems that this is inherent in RFC
8554 and not really avoidable in this document.

Section 3

  The signature value identifies the hash function used in the HSS/LMS
  tree.  In [HASHSIG] only the SHA-256 hash function [SHS] is
  supported, but it also establishes an IANA registry [IANA-LMS] to
  permit the registration of additional hash functions in the future.

(This pattern occurs in several places, but I pick an arbitrary one to
comment on) I am not sure that the "In [HASHSIG] only  is
supported, but it also establishes an IANA registry" is going to present
the best interface to readers; the language in Section 2 about "the
algorithm specified in [HASHSIG] currently only uses , but it also
establishes an IANA registry to permit the registration of additional
[...]" seems to give more emphasis on the registry as opposed to the
snapshot in [HASHSIG].  On the other hand, someone is probably going to
complain that "currently" will not age well...

Section 4

It feels a little surprising to make explicit requirements on the
keyUsage contents but not say anything about extendedKeyUsage.  Having a
static whitelist of EKU OIDs is not reasonable, of course, and the
PUBLIC-KEY class from RFC 5912 only covers regular keyUsage, but some
advice about "encipherment methods are not going to make sense" might
still be appropriate.

  The public key value is an OCTET STRING.  Like the signature format,
  it is designed for easy parsing.  The value is the number of levels
  in the public key, L, followed by the LMS public key.

  The HSS/LMS public key value can be summarized as:

      u32str(L) || lms_public_key

"Can be summarized as" does not say to me "here is a rigorous protocol
specification" (though it does seem to actually be one, given the
notation used in this document and 8554).  So unlike the signature OCTET
STRING contents, this one is not DISCUSS-worthy, since it's in the same
section as the thing being described.

Section 5

  When signed attributes are absent, the HSS/LMS signature is computed
  over the content.  When signed attributes are present, a hash is
  computed over the content using the same hash function that is used
  in the HSS/LMS tree, and then a message-digest attribute is
  constructed to contain the resulting hash value, and then the result
  of DER encoding the set of signed attributes (which MUST include a
  content-type attribute and a message-digest attribute, and then the
  HSS/LMS signature is computed over the DER-encoded output.  In

nit(?): is this "the message-digest attribute" constructed in the
previous step (as opposed to any old message-digest attribute)?

Section 6

  tracking data can cause a one-time key to be used more than once.  As
  a result, when a private key and the tracking data are stored on non-
  volatile media or stored in a virtual machine environment, care must
  be taken to preserve confidentiality and integrity.

It might be worth explicitly noting "in the face of failed writes,
virtual machine snapshotting or cloning, and other operational
concerns".

Appendix: ASN.1 Module

  MTS-HashSig-2013

Once written, the module name can never change? :)

[Ballot comment]
Thanks, Russ, as always, for a clear and well-written document.
Some editorial nits:


— Section 1.3 —

  Each of these advances pose a
  threat to widely deployed digital signature algorithms.



“poses”, to match the singular “each”.


  Recent advances in cryptoanalysis [BH2013]

“cryptanalysis”, no “o”.

  The HSS/LMS signature algorithm does not depend on the difficulty of
  discrete logarithm or factoring, as a result these algorithms are

Comma splice.  Make it a semicolon.

— Section 2.2 —

  The second parameter is
  the number of bytes output by the hash function, m, which is the
  amount of data associated with each node in the tree.


It’s a small thing, but I think the “m” is misplaced where it is, and suggest “…the number of bytes, m, output by the hash function….”

— Section 3 —

  Each format includes a counter and type
  codes that indirectly providing all of the information that is needed

“provide”

— Section 5 —

  When signed attributes are absent, the HSS/LMS signature is computed
  over the content.  When signed attributes are present, a hash is
  computed over the content using the same hash function that is used
  in the HSS/LMS tree, and then a message-digest attribute is
  constructed to contain the resulting hash value, and then the result
  of DER encoding the set of signed attributes (which MUST include a
  content-type attribute and a message-digest attribute, and then the
  HSS/LMS signature is computed over the DER-encoded output.

You’re missing a “)” there, which makes it a bit odd.  I think it should be “(which MUST include a content-type attribute and a message-digest attribute), and then….”

        digestAlgorithm MUST contain the one-way hash function used to in
        the HSS/LMS tree.

Remove “to”.

— Section 6 —

  While the consequences of an inadequate pseudo-random
  number generator (PRNGs) to generate these values is much less severe
  than the generation of private keys


“than in the generation”

— Appendix —
Just a note that I did not review the ASN.1 module.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-lamps-cms-hash-sig-08. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there are three actions which we must complete.

First, in the SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) registry on the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry page located at:

https://www.iana.org/assignments/smi-numbers/

the following registration

Decimal: 64
Description: id-mod-mts-hashsig-2013

will have its reference changed to [ RFC-to-be ].

Second, in the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) registry on the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry page located at:

https://www.iana.org/assignments/smi-numbers/

the following registration

Decimal: 17
Description: id-alg-mts-hashsig

will be changed so that the registration becomes:

Decimal: 17
Description: id-alg-hss-lms-hashsi
Reference: [ RFC-to-be ]

Third, also in the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) registry on the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry page located at:

https://www.iana.org/assignments/smi-numbers/

a note will be added to the registry as follows:

Value 17, "id-alg-hss-lms-hashsig", is also referred to as "id-alg-mts-hashsig".

The IANA Functions Operator understands that these are the only actions required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

Thank you,

Sabrina Tanamal
Senior IANA Services Specialist

The following Last Call announcement was sent out (ends 2019-08-01):

From: The IESG
To: IETF-Announce
CC: rdd@cert.org, lamps-chairs@ietf.org, draft-ietf-lamps-cms-hash-sig@ietf.org, spasm@ietf.org, Tim Hollebeek , tim.hollebeek@digicert.com
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Use of the HSS/LMS Hash-based Signature Algorithm in the Cryptographic Message Syntax (CMS)) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'Use of the
HSS/LMS Hash-based Signature Algorithm in the Cryptographic
  Message Syntax (CMS)'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2019-08-01. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


  This document specifies the conventions for using the the HSS/LMS
  hash-based signature algorithm with the Cryptographic Message Syntax
  (CMS).  In addition, the algorithm identifier and public key syntax
  are provided.  The HSS/LMS algorithm is one form of hash-based
  digital signature; it is described in RFC 8554.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ballot/


No IPR declarations have been submitted directly on this I-D.


The document contains these normative downward references.
See RFC 3967 for additional information:
    rfc8554: Leighton-Micali Hash-Based Signatures (Informational - IRTF Stream)

Shepherd Write-up for draft-ietf-lamps-cms-hash-sig-07


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)?  Why is this the proper type of RFC?  Is this type of RFC indicated in the title page header?

  Proposed Standard.  Yes, the title page indicates that type of RFC.
 

(2) The IESG approval announcement includes a Document Announcement Write-Up.  Please provide such a Document Announcement Write-Up.  Recent examples can be found in the "Action" announcements for approved documents.  The approval announcement contains the following sections:

  Technical Summary:

  This document specifies the conventions for using the the HSS/LMS
  hash-based signature algorithm with the Cryptographic Message Syntax
  (CMS).  In addition, the algorithm identifier and public key syntax
  are provided.  The HSS/LMS algorithm is one form of hash-based
  digital signature; it is described in draft-mcgrew-hash-sigs-15,
  which is about to be published as RFC 8554.

  Working Group Summary:

    There is consensus for this document in the LAMPS WG.

  Document Quality:

    This extension allows the HSS/LMS hash-based signature algorithm
    described in draft-mcgrew-hash-sigs-15 to be used with the CMS.  In
    addition, the algorithm identifiers allow the hash-based signatures
    to be used in digital certificates.  At least one PKI intends to
    issue certificates using this algorithm.

  Personnel:

    Tim Hollebeek is the document shepherd.
    Eric Rescorla is the responsible area director.


(3) Briefly describe the review of this document that was performed by the Document Shepherd.  If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

  The document shepherd and other LAMPS WG participants reviewed the
  document during WG Last Call.  All issues raised have been resolved.


(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

  No concerns.


(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization?  If so, describe the review that took place.

  No special review needed.


(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of?  For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it.  In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

  No concerns.


(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.  If not, explain why?

  The author explicitly stated that he is unaware of any unexpired
  IPR related to this document.


(8) Has an IPR disclosure been filed that references this document?  If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

  No IPR disclosures have been submitted against this Internet-Draft.


(9) How solid is the WG consensus behind this document?  Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

  There is consensus for this Proposed Standard document in the LAMPS WG.


(10) Has anyone threatened an appeal or otherwise indicated extreme discontent?  If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director.  (It should be in a separate email because this questionnaire is publicly available.)

  No one has threatened an appeal.


(11) Identify any ID nits the Document Shepherd has found in this document.  (See https://www.ietf.org/tools/idnits and the Internet-Drafts Checklist).  Boilerplate checks are not enough; this check needs to be thorough.

  IDnits 2.16.02 is reporting one error due to a reference to "[HASHSIG]" in the
  Abstract, two possible code comments, and a line with two spaces between two words.
  The Abstract will be changed to "RFC 8554" when the RFC Editor actually posts the
  document.

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

  None needed.


(13) Have all references within this document been identified as either normative or informative?

  Yes, the references are divided into normative and informative.


(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state?  If such normative references exist, what is the plan for their completion?

  [HASHSIG] a.k.a. draft-mcgrew-hash-sigs-15 is in the RFC Editor Queue.  All other references are already published.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the Last Call procedure.

  [HASHSIG] a.k.a. draft-mcgrew-hash-sigs-15 will be an Informational RFC, so it will be a downward reference
  that needs to be called out in the IETF Last Call.

(16) Will publication of this document change the status of any existing RFCs?  Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction?  If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed.  If this information is not in the document, explain why the WG considers it unnecessary.

  Publication of this document will not change the status of any
  other document.


(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document.  Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

  No new IANA registries are needed.

  The IANA considerations section has all necessary additions and updates, including a new id-alg-hss-lms-hashsig S/MIME algorithm identifier and a reference to the document in the S/MIME Module Identifier registry.


(18) List any new IANA registries that require Expert Review for future allocations.  Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

  No new IANA registries are needed.


(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.

  ASN.1 is used, and the module in the Appendix compiles without
  errors or warnings.

Shepherd Write-up for draft-ietf-lamps-cms-hash-sig-07


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)?  Why is this the proper type of RFC?  Is this type of RFC indicated in the title page header?

  Proposed Standard.  Yes, the title page indicates that type of RFC.
 

(2) The IESG approval announcement includes a Document Announcement Write-Up.  Please provide such a Document Announcement Write-Up.  Recent examples can be found in the "Action" announcements for approved documents.  The approval announcement contains the following sections:

  Technical Summary:

  This document specifies the conventions for using the the HSS/LMS
  hash-based signature algorithm with the Cryptographic Message Syntax
  (CMS).  In addition, the algorithm identifier and public key syntax
  are provided.  The HSS/LMS algorithm is one form of hash-based
  digital signature; it is described in draft-mcgrew-hash-sigs-15,
  which is about to be published as RFC 8554.

  Working Group Summary:

    There is consensus for this document in the LAMPS WG.

  Document Quality:

    This extension allows the HSS/LMS hash-based signature algorithm
    described in draft-mcgrew-hash-sigs-15 to be used with the CMS.  In
    addition, the algorithm identifiers allow the hash-based signatures
    to be used in digital certificates.  At least one PKI intends to
    issue certificates using this algorithm.

  Personnel:

    Tim Hollebeek is the document shepherd.
    Eric Rescorla is the responsible area director.


(3) Briefly describe the review of this document that was performed by the Document Shepherd.  If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

  The document shepherd and other LAMPS WG participants reviewed the
  document during WG Last Call.  All issues raised have been resolved.


(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

  No concerns.


(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization?  If so, describe the review that took place.

  No special review needed.


(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of?  For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it.  In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

  No concerns.


(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.  If not, explain why?

  The author explicitly stated that he is unaware of any unexpired
  IPR related to this document.


(8) Has an IPR disclosure been filed that references this document?  If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

  No IPR disclosures have been submitted against this Internet-Draft.


(9) How solid is the WG consensus behind this document?  Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

  There is consensus for this Proposed Standard document in the LAMPS WG.


(10) Has anyone threatened an appeal or otherwise indicated extreme discontent?  If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director.  (It should be in a separate email because this questionnaire is publicly available.)

  No one has threatened an appeal.


(11) Identify any ID nits the Document Shepherd has found in this document.  (See https://www.ietf.org/tools/idnits and the Internet-Drafts Checklist).  Boilerplate checks are not enough; this check needs to be thorough.

  IDnits 2.16.02 is reporting one error due to a reference to "[HASHSIG]" in the
  Abstract, two possible code comments, and a line with two spaces between two words.
  The Abstract will be changed to "RFC 8554" when the RFC Editor actually posts the
  document.

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

  None needed.


(13) Have all references within this document been identified as either normative or informative?

  Yes, the references are divided into normative and informative.


(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state?  If such normative references exist, what is the plan for their completion?

  [HASHSIG] a.k.a. draft-mcgrew-hash-sigs-15 is in the RFC Editor Queue.  All other references are already published.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the Last Call procedure.

  [HASHSIG] a.k.a. draft-mcgrew-hash-sigs-15 will be an Informational RFC, so it will be a downward reference
  that needs to be called out in the IETF Last Call.

(16) Will publication of this document change the status of any existing RFCs?  Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction?  If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed.  If this information is not in the document, explain why the WG considers it unnecessary.

  Publication of this document will not change the status of any
  other document.


(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document.  Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

  No new IANA registries are needed.

  The IANA considerations section has all necessary additions and updates, including a new id-alg-hss-lms-hashsig S/MIME algorithm identifier and a reference to the document in the S/MIME Module Identifier registry.


(18) List any new IANA registries that require Expert Review for future allocations.  Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

  No new IANA registries are needed.


(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.

  ASN.1 is used, and the module in the Appendix compiles without
  errors or warnings.