Composite Keys and Signatures For Use In Internet PKI
draft-ounsworth-pq-composite-sigs-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
|
|
---|---|---|---|
Authors | Mike Ounsworth , Serge Mister , John Gray , Scott Fluhrer , Panos Kampanakis | ||
Last updated | 2019-03-08 | ||
Replaced by | draft-ietf-lamps-pq-composite-sigs, draft-ietf-lamps-pq-composite-sigs, draft-ietf-lamps-pq-composite-sigs | ||
RFC stream | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | I-D Exists | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-ounsworth-pq-composite-sigs-00
LAMPS M. Ounsworth Internet-Draft S. Mister Intended status: Standards Track J. Gray Expires: September 9, 2019 Entrust Datacard S. Fluhrer P. Kampanakis Cisco Systems March 08, 2019 Composite Keys and Signatures For Use In Internet PKI draft-ounsworth-pq-composite-sigs-00 Abstract With the widespread adoption of post-quantum cryptography will come the need for an entity to possess multiple public keys on different cryptographic algorithms. Since the trustworthiness of individual post-quantum algorithms is at question, a multi-key cryptographic operation will need to be performed in such a way that breaking it requires breaking each of the component algorithms individually. This requires defining new structures for holding composite public keys and composite signature data. This document defines the structures CompositePublicKey, CompositeSignatureAlgorithmParams, and CompositeSignatureValue which are sequences of the respective structure for each component algorithm. This document also defines algorithms for generating and verifying composite signatures. This document makes no assumptions about what the component algorithms are, provided that their algorithm identifiers and signature generation and verification algorithms are defined. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Ounsworth, et al. Expires September 9, 2019 [Page 1] Internet-Draft PQ Composite Certs March 2019 This Internet-Draft will expire on September 9, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Definitions and notation . . . . . . . . . . . . . . . . . . 4 3.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Composite Structures . . . . . . . . . . . . . . . . . . . . 5 4.1. Composite Public Key . . . . . . . . . . . . . . . . . . 5 4.2. Composite Signature Algorithm . . . . . . . . . . . . . . 6 4.3. Encoding Composite Structures As Octet Strings and Bit Strings . . . . . . . . . . . . . . . . . . . . . . . . . 6 5. Composite Signature Algorithm . . . . . . . . . . . . . . . . 7 5.1. Composite Signature Generation . . . . . . . . . . . . . 7 5.2. Composite Signature Verification . . . . . . . . . . . . 7 6. Mechanisms to distribute verification policy to clients . . . 9 6.1. Local verifier policy . . . . . . . . . . . . . . . . . . 9 6.2. Extra metadata in the public key or signature . . . . . . 9 6.3. Extra metadata in the certificate . . . . . . . . . . . . 10 6.4. Policy certificate issued by the Certificate Authority . 10 6.5. Policy constraints in a cross-certificate . . . . . . . . 10 6.6. Revoked Algorithms CRL Extension . . . . . . . . . . . . 10 6.6.1. Implicit Revocation . . . . . . . . . . . . . . . . . 11 7. New Algorithm Identifiers . . . . . . . . . . . . . . . . . . 12 8. In Practice . . . . . . . . . . . . . . . . . . . . . . . . . 12 9. Implications for existing standards . . . . . . . . . . . . . 12 9.1. RFC 2986 . . . . . . . . . . . . . . . . . . . . . . . . 12 9.2. RFC 5280 . . . . . . . . . . . . . . . . . . . . . . . . 12 9.3. Cryptographic protocols . . . . . . . . . . . . . . . . . 12 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 11. Security Considerations . . . . . . . . . . . . . . . . . . . 13 Ounsworth, et al. Expires September 9, 2019 [Page 2] Internet-Draft PQ Composite Certs March 2019 12. Appendices . . . . . . . . . . . . . . . . . . . . . . . . . 13 12.1. Intellection Property Considerations . . . . . . . . . . 13 12.2. Comparison with draft-truskovsky-lamps-pq-hybrid-x509 . 13 13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 14 14. Acknowledgenents . . . . . . . . . . . . . . . . . . . . . . 14 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 15.1. Normative References . . . . . . . . . . . . . . . . . . 14 15.2. Informative References . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 1. Introduction During the transition to post-quantum cryptography, there will be uncertainty as to the strength of cryptographic algorithms; we will no longer fully trust traditional cryptography such as RSA, Diffie- Hellman, DSA and their elliptic curve variants, but we will also not fully trust their post-quantum replacements until they have had sufficient scrutiny. Unlike previous cryptographic algorithm migrations, the choice of when to migrate and which algorithms to migrate to, is not so clear. Even after the migration period it may be advantageous for an entity's cryptographic identity to be composed of multiple public-key algorithms. Even after the transition period, a composite approach may be advantageous as a single entity may have multiple public keys on different algorithms or strengths to address different use-cases, and a single signature may want to compase multiple of them together. The deployment of composite public keys and signatures using post- quantum algorithms will face two challenges o Algorithm strength uncertainty: During the transition period, some post-quantum signature and encryption algorithms will not be fully trusted, while also the trust in legacy public key algorithms will also start to erode. A relying party may learn some time after deployment that a public key algorithm has become untrustworthy, but in the interim, they may not know which algorithm an adversary has compromised. o Backwards compatibility: During the transition period, post- quantum algorithms will not be supported by all clients. This document provides a mechanism to address algorithm strength uncertainty by providing formats for encoding multiple public keys and multiple signature values into existing public key and signature fields. The issue of backwards compatibility is left open to be addressed in separate draft(s). Ounsworth, et al. Expires September 9, 2019 [Page 3] Internet-Draft PQ Composite Certs March 2019 This document is intended for general applicability anywhere that public key structures or digital signatures are used, but where specific design decisions needed to be made, the authors chose the variant that caused the least disruption to existing X.509 certificates, as defined in [RFC5280]. _EDNOTE: While the scope of this document is restricted to signatures, we note that the same structure is equally applicable to asymmetric encryption keys. Though a word of warning that the corresponding "encrypt / decrypt with a composite public key" logic is somewhat less obvious than; a naive implementer might be tempted to follow the same pattern as bellow and encrypt the message with each public key separately and then concatenate the ciphertexts, which is wrong. Specifying the correct implementation of such an encryption scheme is out of scope for this document, but would be good work for someone in the standards community to pick up._"CompositePublicKey" 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Definitions and notation 3.1. Definitions _EDNOTE: A glossary of terms we define for this document, or terms that we borrow from other RFCs._ ALGORITHM: An information object class for identifying the type of cryptographic operation to be performed. This document is primarily concerned with algorithms for producing digital signatures, though the public key structure could just as easily hold encryption keys. COMPONENT ALGORITHM: A single basic algorithm which is contained within a composite algorithm. COMPOSITE ALGORITHM: An algorithm which is a sequence of one or more basic algorithm, as defined in {{sec-composite-structs}}. Ounsworth, et al. Expires September 9, 2019 [Page 4] Internet-Draft PQ Composite Certs March 2019 3.2. Notation No special notation is used in this document. 4. Composite Structures In order for public keys and signatures to be composed of multiple algorithms, the respective structures defined in [RFC2986], [RFC5280] (AND OTHERS??) need to be extended. We define encodings of sequences of public keys and signature data which consist of a sequence of public keys and signatures from more basic signature algorithms (aka "component algorithms") such that these structures can be places into any existing public key or signature structure. This section defines o Composite public key: A general structure for holding multiple public keys within a single public key data structure. o Composite signature: Data structures needed to make use of the Composite Signature signature algorithm (defined in Section 5), which encapsulates signatures made with multiple public keys. _EDNOTE: Defining composite algorithm parameters as a sequence inside the existing structure avoids an exponential proliferation of OIDs that are needed for each pairwise combination of signature algorithms in other competing schemes for achieving multi-key certificates. This scheme also naturally extends from 2-keypair to n-keypair keys and certificates._ 4.1. Composite Public Key A composite public key is a sequence of component public keys that are used together. A composite public key is identified by the object identifier id-ce-compositePublicKey OBJECT IDENTIFIER ::= { OID } The parameters field for this public key type MUST be absent. The composite public key data is represented by the following structure: CompositePublicKey ::= SEQUENCE OF SubjectPublicKeyInfo where each element of the sequence is a "SubjectPublicKeyInfo" of a public key that MAY be used in conjunction with the other keys in the sequence. When the public key must be provided in octet string or bit string format, the data structure is converted as specified in Section 4.3. Ounsworth, et al. Expires September 9, 2019 [Page 5] Internet-Draft PQ Composite Certs March 2019 _EDNOTE: This document does not define the corresponding private key formats because the authors deemed it to be out of scope. We do note that the draft the Max Pala on a similar topic, does define private key formats, so there could be scope to merge these submissions._[I-D.pala-composite-crypto] 4.2. Composite Signature Algorithm The Composite Signature signature algorithm defined in Section 5 is identified by the following object identifier: id-ce-compositeSignature OBJECT IDENTIFIER ::= { OID } The following algorithm parameters MUST be included when this identifier is used: CompositeSignatureAlgorithmParams ::= SEQUENCE OF AlgorithmIdentifier When a composite signature is generated by a key with a CompositePublicKey, the signature's CompositeSignatureAlgorithmParams sequence MUST contain the same component algorithms listed in the same order as in the associated CompositePublicKey. The Composite Signature algorithm output is the DER encoding of the following structure: id-ce-CompositeSignatureValue OBJECT IDENTIFIER ::= { OID } CompositeSignatureValue ::= SEQUENCE OF BIT STRING Where each bit string within "CompositeSignatureValue" is a signature by one of the component signature algorithms. The choice of "SEQUENCE OF BIT STRING" rather than "BIT STRING" is so the type-length-value encoding can solve the problem of variable- length signature values. The signature's "CompositeSignatureValue" sequence MUST contain the same component algorithms listed in the same order as in the associated "CompositeSignatureAlgorithmParams". 4.3. Encoding Composite Structures As Octet Strings and Bit Strings Many specifications require that the composite public key and composite signature data structures be represented by an octet string or bit string. When an octet string is required, the DER encoding of the composite data structure SHALL be used directly. When a bit string is required, the octets of the DER encoded composite data structure SHALL be used as the bits of the bit string, with the most significant bit of the first octet becoming the first bit, and so on, Ounsworth, et al. Expires September 9, 2019 [Page 6] Internet-Draft PQ Composite Certs March 2019 ending with the least significant bit of the last octet becoming the last bit of the bit string. 5. Composite Signature Algorithm The Composite Signature signature algorithm generates a single composite signature by using multiple private keys to apply multiple signature algorithms to the input message, with the resulting signature effectively being the concatenation of the individual signature values. This algorithm addresses algorithm strength uncertainty by providing the verifier with parallel signatures from all the component signature algorithms used as part of the composite signature; breaking the composite signature would require breaking each of the component signatures. 5.1. Composite Signature Generation The following algorithm is used to generate composite signature values. Input: K1, K2, ..., Kn Private keys for the n component signature algorithms M Message to be signed, an octet string Output: S Signature, an octet string Signature Generation Procedure: 1. Generate the n component signatures independently, according to their algorithm specifications. for i := 1 to n Si := Sign( Ki, M ) 2. DER encode the component signatures into an ASN.1 value of type Signature, where the type Signature has the syntax Signature ::= Sequence { S1, S2, ..., Sn } Let S be the DER encoding of the Signature 3. Output S 5.2. Composite Signature Verification Verification of a composite signature involves applying each component algorithm's verification routine according to its specification, and then outputting "Valid signature" (true) if a sufficient number of component algorithms were valid, and "Invalid signature" (false) otherwise. Ounsworth, et al. Expires September 9, 2019 [Page 7] Internet-Draft PQ Composite Certs March 2019 Implementations MAY include policy mechanisms for determining which and how many component algorithms must be valid in order for the composite signature to be considered valid. See Section 6 for further discussion of possible standardization of such mechanisms. This section assumes the existence of such a policy mechanism, specifically one that allows revocation of individual component algorithms. This section provides a sample algorithm for validating composite signatures. Compliant implementations MUST return "Invalid signature" whenever the sample algorithm does, but MAY require more than one signature to be valid. Input: P Signer's composite public key M Message whose signature is to be verified, an octet string S Composite Signature to be verified A Composite Algorithm identifier Output: Validity "Valid signature" (true) if the composite signature is valid, "Invalid signature" (false) otherwise. Signature Verification Procedure:: 1. Parse P, S, A into the component public keys, signatures, algorithm identifiers P1, P2, ..., Pn := Desequence( P ) S1, S2, ..., Sn := Desequence( S ) A1, A2, ..., An := Desequence( A ) If Error during Desequencing, or the three sequences have different numbers of elements, then output "Invalid signature" and stop. 2. Check each signature individually V1, V2 , ..., Vn := BOOLEAN for i := 1 to n Check if Ai is a recognized algorithm, if so then, Check if algorithm Ai has been revoked, if not then, Verify the component signature according to the component algorithm's specification Vi = verify( Pi, M, Si ) 3. Check policy to see whether V1, V2, ..., Vn constitutes a valid signature if isValid(V1, V2, ..., Vn), then output "Valid signature" else output "Invalid signature" Ounsworth, et al. Expires September 9, 2019 [Page 8] Internet-Draft PQ Composite Certs March 2019 If "V1 = V2 = ... = Vn = false" for all "Vi", then "isValid(V1, V2, ..., Vn)" MUST return false. Implementations MAY include additional policy mechanisms as discussed in Section 6. 6. Mechanisms to distribute verification policy to clients In the traditional world of single-key public keys and signatures, the semantics of a signature and a verification are straight-forward: if the key is trusted (via public key pinning, a PKIX revocation check, etc) and the signature is valid, then the signed content can be trusted. However the semantics are less obvious in a world where public keys and signatures are composed of two or more algorithms; it is conceivable that even though one component algorithm fails verification, for example because the algorithm is revoked, a multi- algorithm signature may contain enough other trustworthy component algorithms to still be considered valid. This section addresses how a verifier can obtain policy information for which and/or how many component algorithms must be valid in order for the signature as a whole to be valid. The authors ask for community feedback about whether this needs to be specified, and if so, how best to do it. This section lists rough outlines for several such mechanisms that have come up in discussion during the drafting of this document. They are mainly focused around X.509 PKIs, and provided here merely for the purposes of sparking debate. The authors believe that by specifying such a mechanism, the world will be able to more quickly react to news of algorithm compromise with a lower service disruption compared to the need to revoke and re-issue all certificates using that algorithm. However, we are not sure if the gains justify the added complexity. 6.1. Local verifier policy Much as we do today, this is left up to domain administrators and software vendors to implement the guidance of governing bodies on a system-by-system basis. 6.2. Extra metadata in the public key or signature This policy information could be specified by the signer at signing time. Depending on the structure of the databeing signed, this metadata could go into the public key, or an extension to the signature, or some other field provided that it is inside the signed data blob. Ounsworth, et al. Expires September 9, 2019 [Page 9] Internet-Draft PQ Composite Certs March 2019 6.3. Extra metadata in the certificate This policy information could be included in a certificate via an X.509 v3 extension. This gives the Certificate Authority control, but has the drawback that updating the policy requires revoking and reissuing certificates. 6.4. Policy certificate issued by the Certificate Authority Certificate Authorities have the ability to issue policy certificates that specify the behaviour when verifying signatures performed by keys in certificates within the scope of the policy certificate. This method has the advantage that policy is centrally-managed, and can be updated without needing to reissue any certificates, but has the drawback that not all PKI implementations support policy certificates. 6.5. Policy constraints in a cross-certificate This method behaves similarly to the policy certificate method above, but has better support across PKI implementations. 6.6. Revoked Algorithms CRL Extension Add an extension to CRLs so that in addition to revoking certificates, they can also revoke algorithms for all certificates within the scope of that CRL. Implemented with care, this could allow a single PKI to do a staged algorithm migration by only revoking the algorithm for one CRL group at a time. id-ce-RevokedAlgorithms OBJECT IDENTIFIER ::= { OID } RevokedAlgorithms ::= SEQUENCE OF SEQUENCE { algorithms AlgorithmIdentifier, revocationDate Time, crlEntryExtensions Extensions OPTIONAL -- if present, version MUST be v2 } _EDNOTE: do we need the crlEntryExtensions field? If so, which ones from https://tools.ietf.org/html/rfc5280#section-5.3 are allowed here?_ There may only be one "RevokedAlgorithms" extension in a CRL. This extension is OPTIONAL. If a CRL contains only composite certificates, then this extension SHOULD be designated as critical. Ounsworth, et al. Expires September 9, 2019 [Page 10] Internet-Draft PQ Composite Certs March 2019 If a CRL contains a mixture of composite and traditional certificates then it SHOULD be designated as non-critical. If the Revoked Algorithms extension is present in a CRL, then a client performing a certificate validation on an otherwise non- revoked certificate within the scope of that CRL MUST skip any signatures corresponding to a revoked algorithm; thus a certificate is valid only if it would have been valid had those Algorithm IDs and Signature Values been omitted from the certificate. Once a algorithm has been marked as revoked on a given CRL, it MUST remain revoked on subsequent CRLs. _EDNOTE: Is there corresponding wording about cert serial numbers on CRLs from RFC5280? Or is this unnecessary implied?_ Note that a similar mechanism could be used on a per-certificate basis via CRL Entry Extensions, however the authors believe that giving operators the ability to perform partial revocation of a certificate (ie revoking some keys or signatures but leaving the certificate as a whole valid) will greatly increase the complexity of certificate validation routines, thus increasing the chance of both human error, and implementation bugs leading to vulnerabilities, without providing a commensurate amount of increased functionality. By not defining a new CRL Entry Extension, the following requirement is implied: if any key within a certificate warrant revocation, the entire certificate MUST be revoked using the existing revocation mechanisms (this does not apply when the algorithm is globally revoked for the entire scope of this CRL). 6.6.1. Implicit Revocation A Composite Signature Algorithm is considered to be "implicitly revoked" if the certificate is otherwise valid but one of the following conditions are met. o A certificate using a single-key algorithm which is revoked within the scope of its CRL. In this case, signature verification SHOULD fail when performed by a compliant client, but of course will succeed when performed by a legacy client which is not aware of this CRL extension. o All of the component algorithms are revoked within the scope if its CRL. In this case, signature verification MUST fail when performed by a compliant client, regardless of which verification algorithm is used. Ounsworth, et al. Expires September 9, 2019 [Page 11] Internet-Draft PQ Composite Certs March 2019 At the time of an algorithm revocation, a certificate authority MAY revoke certificates meeting one ofd the above criteria (by placing them in the traditional "revokedCertificates" list) with a revocation reason of "keyCompromise". OCSP responders SHOULD designate a certificate as revoked if it meets the above condition. 7. New Algorithm Identifiers _EDNOTE: This subsection will define the OIDs for the initial composite algorithm combinations we want to define. These are the OID that Section 10 will ask for IANA to assign._ 8. In Practice _EDNOTE: This section will talk about practical issue of how these certificates will be used. For example it will talk about the size of these certs and cert chains. It will explain that if a cert in the chain is a Composite cert then the whole chain needs to be of Composite Certs. It will also explain that the root CA cert does not have to be of the same algorithms. The root cert SHOULD NOT be transferred in the authentication exchange to save transport overhead and thus it can be different than the intermediate and leaf certs. It will talk about overhead (size and processing). It will also discuss backwards compatibility. It could include a subsection about implementation considerations._ 9. Implications for existing standards 9.1. RFC 2986 _EDNOTE: summarize the updates to RFC 2986 (CSR / PKCS#10)._ 9.2. RFC 5280 _EDNOTE: summarize the updates to RFC 5280 (X.509)._ 9.3. Cryptographic protocols This section talks about how protocols like (D)TLS and IKEv2 are affected by this specifications. It will not attempt to solve all these problems, but it will explain the rationale, how things will work and what open problems need to be solved. Obvious issues that need to be discussed. o How does the protocol declare support for composite signatures? TLS has hooks for declaring support for specific signature algorithms, however it would need to be extended, because the client would need to declare support for both the composite Ounsworth, et al. Expires September 9, 2019 [Page 12] Internet-Draft PQ Composite Certs March 2019 infrastructure, as well as for the various component signature algorithms. o How does the protocol use the multiple keys. The obvious way would be to have the server sign using its composite public key; is this sufficient. o Overhead; including certificate size, signature processing time, and size of the signature. o How to deal with crypto protocols that use public key encryption algorithms; this document only lists how to work with signature algorithms. Encoding composite public keys is straightforward; encoding composite ciphertexts is less so - we decided to put that off to another draft. 10. IANA Considerations _EDNOTE: This section will include content only if new OIDs or IANA codepoints are assigned for it._ 11. Security Considerations _EDNOTE: This section includes the Security Considerations._ o CA implementations need to be careful when checking for compromised key reuse, for example as required by WebTrust regulations; unpack the CompositePublicKey structure and compare individual keys. o The corresponding multi-key encryption routine is considerably more prone to implementation errors that will result in a catestrophic loss of security, as compared with the signature algorithms specified in this document. 12. Appendices 12.1. Intellection Property Considerations The authors claim no IPR associated with any of the content of this draft. 12.2. Comparison with draft-truskovsky-lamps-pq-hybrid-x509 _EDNOTE: This section will explain the differences from . IPR Claims should be mentioned here if necessary. Other things to consider are the things like simplicity and format, inadvertnt implementation errors, algorithm agility._[I-D.truskovsky-lamps-pq-hybrid-x509] Ounsworth, et al. Expires September 9, 2019 [Page 13] Internet-Draft PQ Composite Certs March 2019 13. Contributors This document incorporates contributions and comments from a large group of experts. The Editor would especially like to acknowledge the tireless dedication of the following people, who attended many long meetings and generated millions of bytes of electronic mail over the past 3 years months in pursuit of this document: We are grateful to all, including any contributors who may have been inadvertently omitted from this list. 14. Acknowledgenents _EDNOTE: this section include all those that need to be acknowledged in the draft_ 15. References 15.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification Request Syntax Specification Version 1.7", RFC 2986, DOI 10.17487/RFC2986, November 2000, <https://www.rfc-editor.org/info/rfc2986>. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <https://www.rfc-editor.org/info/rfc5280>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. 15.2. Informative References [I-D.pala-composite-crypto] Pala, M., "Composite Public Keys and Signatures", draft- pala-composite-crypto-00 (work in progress), February 2019. Ounsworth, et al. Expires September 9, 2019 [Page 14] Internet-Draft PQ Composite Certs March 2019 [I-D.truskovsky-lamps-pq-hybrid-x509] Truskovsky, A., Geest, D., Fluhrer, S., Kampanakis, P., Ounsworth, M., and S. Mister, "Multiple Public-Key Algorithm X.509 Certificates", draft-truskovsky-lamps-pq- hybrid-x509-01 (work in progress), August 2018. Authors' Addresses Mike Ounsworth Entrust Datacard Limited 1000 Innovation Drive Ottawa, Ontario K2K 1E3 Canada Email: mike.ounsworth@entrustdatacard.com Serge Mister Entrust Datacard Limited Email: serge.mister@entrustdatacard.com John Gray Entrust Datacard Limited Email: john.gray@entrustdatacard.com Scott Fluhrer Cisco Systems Email: sfluhrer@cisco.com Panos Kampanakis Cisco Systems Email: pkampana@cisco.com Ounsworth, et al. Expires September 9, 2019 [Page 15]