Composite Keys and Signatures For Use In Internet PKI
draft-ounsworth-pq-composite-sigs-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
|
|
|---|---|---|---|
| Authors | Mike Ounsworth , Serge Mister , John Gray , Scott Fluhrer , Panos Kampanakis | ||
| Last updated | 2019-03-08 | ||
| Replaced by | draft-ietf-lamps-pq-composite-sigs, draft-ietf-lamps-pq-composite-sigs, draft-ietf-lamps-pq-composite-sigs, draft-ietf-lamps-pq-composite-sigs, draft-ietf-lamps-pq-composite-sigs, draft-ietf-lamps-pq-composite-sigs | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ounsworth-pq-composite-sigs-00
LAMPS M. Ounsworth
Internet-Draft S. Mister
Intended status: Standards Track J. Gray
Expires: September 9, 2019 Entrust Datacard
S. Fluhrer
P. Kampanakis
Cisco Systems
March 08, 2019
Composite Keys and Signatures For Use In Internet PKI
draft-ounsworth-pq-composite-sigs-00
Abstract
With the widespread adoption of post-quantum cryptography will come
the need for an entity to possess multiple public keys on different
cryptographic algorithms. Since the trustworthiness of individual
post-quantum algorithms is at question, a multi-key cryptographic
operation will need to be performed in such a way that breaking it
requires breaking each of the component algorithms individually.
This requires defining new structures for holding composite public
keys and composite signature data.
This document defines the structures CompositePublicKey,
CompositeSignatureAlgorithmParams, and CompositeSignatureValue which
are sequences of the respective structure for each component
algorithm. This document also defines algorithms for generating and
verifying composite signatures. This document makes no assumptions
about what the component algorithms are, provided that their
algorithm identifiers and signature generation and verification
algorithms are defined.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Ounsworth, et al. Expires September 9, 2019 [Page 1]
Internet-Draft PQ Composite Certs March 2019
This Internet-Draft will expire on September 9, 2019.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Definitions and notation . . . . . . . . . . . . . . . . . . 4
3.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Composite Structures . . . . . . . . . . . . . . . . . . . . 5
4.1. Composite Public Key . . . . . . . . . . . . . . . . . . 5
4.2. Composite Signature Algorithm . . . . . . . . . . . . . . 6
4.3. Encoding Composite Structures As Octet Strings and Bit
Strings . . . . . . . . . . . . . . . . . . . . . . . . . 6
5. Composite Signature Algorithm . . . . . . . . . . . . . . . . 7
5.1. Composite Signature Generation . . . . . . . . . . . . . 7
5.2. Composite Signature Verification . . . . . . . . . . . . 7
6. Mechanisms to distribute verification policy to clients . . . 9
6.1. Local verifier policy . . . . . . . . . . . . . . . . . . 9
6.2. Extra metadata in the public key or signature . . . . . . 9
6.3. Extra metadata in the certificate . . . . . . . . . . . . 10
6.4. Policy certificate issued by the Certificate Authority . 10
6.5. Policy constraints in a cross-certificate . . . . . . . . 10
6.6. Revoked Algorithms CRL Extension . . . . . . . . . . . . 10
6.6.1. Implicit Revocation . . . . . . . . . . . . . . . . . 11
7. New Algorithm Identifiers . . . . . . . . . . . . . . . . . . 12
8. In Practice . . . . . . . . . . . . . . . . . . . . . . . . . 12
9. Implications for existing standards . . . . . . . . . . . . . 12
9.1. RFC 2986 . . . . . . . . . . . . . . . . . . . . . . . . 12
9.2. RFC 5280 . . . . . . . . . . . . . . . . . . . . . . . . 12
9.3. Cryptographic protocols . . . . . . . . . . . . . . . . . 12
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
11. Security Considerations . . . . . . . . . . . . . . . . . . . 13
Ounsworth, et al. Expires September 9, 2019 [Page 2]
Internet-Draft PQ Composite Certs March 2019
12. Appendices . . . . . . . . . . . . . . . . . . . . . . . . . 13
12.1. Intellection Property Considerations . . . . . . . . . . 13
12.2. Comparison with draft-truskovsky-lamps-pq-hybrid-x509 . 13
13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 14
14. Acknowledgenents . . . . . . . . . . . . . . . . . . . . . . 14
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
15.1. Normative References . . . . . . . . . . . . . . . . . . 14
15.2. Informative References . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction
During the transition to post-quantum cryptography, there will be
uncertainty as to the strength of cryptographic algorithms; we will
no longer fully trust traditional cryptography such as RSA, Diffie-
Hellman, DSA and their elliptic curve variants, but we will also not
fully trust their post-quantum replacements until they have had
sufficient scrutiny. Unlike previous cryptographic algorithm
migrations, the choice of when to migrate and which algorithms to
migrate to, is not so clear. Even after the migration period it may
be advantageous for an entity's cryptographic identity to be composed
of multiple public-key algorithms. Even after the transition period,
a composite approach may be advantageous as a single entity may have
multiple public keys on different algorithms or strengths to address
different use-cases, and a single signature may want to compase
multiple of them together.
The deployment of composite public keys and signatures using post-
quantum algorithms will face two challenges
o Algorithm strength uncertainty: During the transition period, some
post-quantum signature and encryption algorithms will not be fully
trusted, while also the trust in legacy public key algorithms will
also start to erode. A relying party may learn some time after
deployment that a public key algorithm has become untrustworthy,
but in the interim, they may not know which algorithm an adversary
has compromised.
o Backwards compatibility: During the transition period, post-
quantum algorithms will not be supported by all clients.
This document provides a mechanism to address algorithm strength
uncertainty by providing formats for encoding multiple public keys
and multiple signature values into existing public key and signature
fields. The issue of backwards compatibility is left open to be
addressed in separate draft(s).
Ounsworth, et al. Expires September 9, 2019 [Page 3]
Internet-Draft PQ Composite Certs March 2019
This document is intended for general applicability anywhere that
public key structures or digital signatures are used, but where
specific design decisions needed to be made, the authors chose the
variant that caused the least disruption to existing X.509
certificates, as defined in [RFC5280].
_EDNOTE: While the scope of this document is restricted to
signatures, we note that the same structure is equally applicable to
asymmetric encryption keys. Though a word of warning that the
corresponding "encrypt / decrypt with a composite public key" logic
is somewhat less obvious than; a naive implementer might be tempted
to follow the same pattern as bellow and encrypt the message with
each public key separately and then concatenate the ciphertexts,
which is wrong. Specifying the correct implementation of such an
encryption scheme is out of scope for this document, but would be
good work for someone in the standards community to pick
up._"CompositePublicKey"
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Definitions and notation
3.1. Definitions
_EDNOTE: A glossary of terms we define for this document, or terms
that we borrow from other RFCs._
ALGORITHM: An information object class for identifying the type of
cryptographic operation to be performed. This document is
primarily concerned with algorithms for producing digital
signatures, though the public key structure could just as
easily hold encryption keys.
COMPONENT ALGORITHM: A single basic algorithm which is contained
within a composite algorithm.
COMPOSITE ALGORITHM: An algorithm which is a sequence of one or
more basic algorithm, as defined in
{{sec-composite-structs}}.
Ounsworth, et al. Expires September 9, 2019 [Page 4]
Internet-Draft PQ Composite Certs March 2019
3.2. Notation
No special notation is used in this document.
4. Composite Structures
In order for public keys and signatures to be composed of multiple
algorithms, the respective structures defined in [RFC2986], [RFC5280]
(AND OTHERS??) need to be extended. We define encodings of sequences
of public keys and signature data which consist of a sequence of
public keys and signatures from more basic signature algorithms (aka
"component algorithms") such that these structures can be places into
any existing public key or signature structure.
This section defines
o Composite public key: A general structure for holding multiple
public keys within a single public key data structure.
o Composite signature: Data structures needed to make use of the
Composite Signature signature algorithm (defined in Section 5),
which encapsulates signatures made with multiple public keys.
_EDNOTE: Defining composite algorithm parameters as a sequence inside
the existing structure avoids an exponential proliferation of OIDs
that are needed for each pairwise combination of signature algorithms
in other competing schemes for achieving multi-key certificates.
This scheme also naturally extends from 2-keypair to n-keypair keys
and certificates._
4.1. Composite Public Key
A composite public key is a sequence of component public keys that
are used together. A composite public key is identified by the
object identifier
id-ce-compositePublicKey OBJECT IDENTIFIER ::= { OID }
The parameters field for this public key type MUST be absent. The
composite public key data is represented by the following structure:
CompositePublicKey ::= SEQUENCE OF SubjectPublicKeyInfo
where each element of the sequence is a "SubjectPublicKeyInfo" of a
public key that MAY be used in conjunction with the other keys in the
sequence. When the public key must be provided in octet string or
bit string format, the data structure is converted as specified in
Section 4.3.
Ounsworth, et al. Expires September 9, 2019 [Page 5]
Internet-Draft PQ Composite Certs March 2019
_EDNOTE: This document does not define the corresponding private key
formats because the authors deemed it to be out of scope. We do note
that the draft the Max Pala on a similar topic, does define private
key formats, so there could be scope to merge these
submissions._[I-D.pala-composite-crypto]
4.2. Composite Signature Algorithm
The Composite Signature signature algorithm defined in Section 5 is
identified by the following object identifier:
id-ce-compositeSignature OBJECT IDENTIFIER ::= { OID }
The following algorithm parameters MUST be included when this
identifier is used:
CompositeSignatureAlgorithmParams ::= SEQUENCE OF AlgorithmIdentifier
When a composite signature is generated by a key with a
CompositePublicKey, the signature's CompositeSignatureAlgorithmParams
sequence MUST contain the same component algorithms listed in the
same order as in the associated CompositePublicKey.
The Composite Signature algorithm output is the DER encoding of the
following structure:
id-ce-CompositeSignatureValue OBJECT IDENTIFIER ::= { OID }
CompositeSignatureValue ::= SEQUENCE OF BIT STRING
Where each bit string within "CompositeSignatureValue" is a signature
by one of the component signature algorithms.
The choice of "SEQUENCE OF BIT STRING" rather than "BIT STRING" is so
the type-length-value encoding can solve the problem of variable-
length signature values. The signature's "CompositeSignatureValue"
sequence MUST contain the same component algorithms listed in the
same order as in the associated "CompositeSignatureAlgorithmParams".
4.3. Encoding Composite Structures As Octet Strings and Bit Strings
Many specifications require that the composite public key and
composite signature data structures be represented by an octet string
or bit string. When an octet string is required, the DER encoding of
the composite data structure SHALL be used directly. When a bit
string is required, the octets of the DER encoded composite data
structure SHALL be used as the bits of the bit string, with the most
significant bit of the first octet becoming the first bit, and so on,
Ounsworth, et al. Expires September 9, 2019 [Page 6]
Internet-Draft PQ Composite Certs March 2019
ending with the least significant bit of the last octet becoming the
last bit of the bit string.
5. Composite Signature Algorithm
The Composite Signature signature algorithm generates a single
composite signature by using multiple private keys to apply multiple
signature algorithms to the input message, with the resulting
signature effectively being the concatenation of the individual
signature values.
This algorithm addresses algorithm strength uncertainty by providing
the verifier with parallel signatures from all the component
signature algorithms used as part of the composite signature;
breaking the composite signature would require breaking each of the
component signatures.
5.1. Composite Signature Generation
The following algorithm is used to generate composite signature
values.
Input:
K1, K2, ..., Kn Private keys for the n component signature
algorithms
M Message to be signed, an octet string
Output:
S Signature, an octet string
Signature Generation Procedure:
1. Generate the n component signatures independently,
according to their algorithm specifications.
for i := 1 to n
Si := Sign( Ki, M )
2. DER encode the component signatures into an ASN.1 value of type
Signature, where the type Signature has the syntax
Signature ::= Sequence { S1, S2, ..., Sn }
Let S be the DER encoding of the Signature
3. Output S
5.2. Composite Signature Verification
Verification of a composite signature involves applying each
component algorithm's verification routine according to its
specification, and then outputting "Valid signature" (true) if a
sufficient number of component algorithms were valid, and "Invalid
signature" (false) otherwise.
Ounsworth, et al. Expires September 9, 2019 [Page 7]
Internet-Draft PQ Composite Certs March 2019
Implementations MAY include policy mechanisms for determining which
and how many component algorithms must be valid in order for the
composite signature to be considered valid. See Section 6 for
further discussion of possible standardization of such mechanisms.
This section assumes the existence of such a policy mechanism,
specifically one that allows revocation of individual component
algorithms.
This section provides a sample algorithm for validating composite
signatures. Compliant implementations MUST return "Invalid
signature" whenever the sample algorithm does, but MAY require more
than one signature to be valid.
Input:
P Signer's composite public key
M Message whose signature is to be verified, an octet string
S Composite Signature to be verified
A Composite Algorithm identifier
Output:
Validity "Valid signature" (true) if the composite signature is
valid, "Invalid signature" (false) otherwise.
Signature Verification Procedure::
1. Parse P, S, A into the component public keys, signatures,
algorithm identifiers
P1, P2, ..., Pn := Desequence( P )
S1, S2, ..., Sn := Desequence( S )
A1, A2, ..., An := Desequence( A )
If Error during Desequencing, or the three sequences have different
numbers of elements, then output "Invalid signature" and stop.
2. Check each signature individually
V1, V2 , ..., Vn := BOOLEAN
for i := 1 to n
Check if Ai is a recognized algorithm, if so then,
Check if algorithm Ai has been revoked, if not then,
Verify the component signature according to the component
algorithm's specification
Vi = verify( Pi, M, Si )
3. Check policy to see whether V1, V2, ..., Vn constitutes a valid
signature
if isValid(V1, V2, ..., Vn), then
output "Valid signature"
else
output "Invalid signature"
Ounsworth, et al. Expires September 9, 2019 [Page 8]
Internet-Draft PQ Composite Certs March 2019
If "V1 = V2 = ... = Vn = false" for all "Vi", then "isValid(V1, V2,
..., Vn)" MUST return false. Implementations MAY include additional
policy mechanisms as discussed in Section 6.
6. Mechanisms to distribute verification policy to clients
In the traditional world of single-key public keys and signatures,
the semantics of a signature and a verification are straight-forward:
if the key is trusted (via public key pinning, a PKIX revocation
check, etc) and the signature is valid, then the signed content can
be trusted. However the semantics are less obvious in a world where
public keys and signatures are composed of two or more algorithms; it
is conceivable that even though one component algorithm fails
verification, for example because the algorithm is revoked, a multi-
algorithm signature may contain enough other trustworthy component
algorithms to still be considered valid.
This section addresses how a verifier can obtain policy information
for which and/or how many component algorithms must be valid in order
for the signature as a whole to be valid. The authors ask for
community feedback about whether this needs to be specified, and if
so, how best to do it.
This section lists rough outlines for several such mechanisms that
have come up in discussion during the drafting of this document.
They are mainly focused around X.509 PKIs, and provided here merely
for the purposes of sparking debate. The authors believe that by
specifying such a mechanism, the world will be able to more quickly
react to news of algorithm compromise with a lower service disruption
compared to the need to revoke and re-issue all certificates using
that algorithm. However, we are not sure if the gains justify the
added complexity.
6.1. Local verifier policy
Much as we do today, this is left up to domain administrators and
software vendors to implement the guidance of governing bodies on a
system-by-system basis.
6.2. Extra metadata in the public key or signature
This policy information could be specified by the signer at signing
time. Depending on the structure of the databeing signed, this
metadata could go into the public key, or an extension to the
signature, or some other field provided that it is inside the signed
data blob.
Ounsworth, et al. Expires September 9, 2019 [Page 9]
Internet-Draft PQ Composite Certs March 2019
6.3. Extra metadata in the certificate
This policy information could be included in a certificate via an
X.509 v3 extension. This gives the Certificate Authority control,
but has the drawback that updating the policy requires revoking and
reissuing certificates.
6.4. Policy certificate issued by the Certificate Authority
Certificate Authorities have the ability to issue policy certificates
that specify the behaviour when verifying signatures performed by
keys in certificates within the scope of the policy certificate.
This method has the advantage that policy is centrally-managed, and
can be updated without needing to reissue any certificates, but has
the drawback that not all PKI implementations support policy
certificates.
6.5. Policy constraints in a cross-certificate
This method behaves similarly to the policy certificate method above,
but has better support across PKI implementations.
6.6. Revoked Algorithms CRL Extension
Add an extension to CRLs so that in addition to revoking
certificates, they can also revoke algorithms for all certificates
within the scope of that CRL. Implemented with care, this could
allow a single PKI to do a staged algorithm migration by only
revoking the algorithm for one CRL group at a time.
id-ce-RevokedAlgorithms OBJECT IDENTIFIER ::= { OID }
RevokedAlgorithms ::= SEQUENCE OF SEQUENCE {
algorithms AlgorithmIdentifier,
revocationDate Time,
crlEntryExtensions Extensions OPTIONAL
-- if present, version MUST be v2
}
_EDNOTE: do we need the crlEntryExtensions field? If so, which ones
from https://tools.ietf.org/html/rfc5280#section-5.3 are allowed
here?_
There may only be one "RevokedAlgorithms" extension in a CRL. This
extension is OPTIONAL. If a CRL contains only composite
certificates, then this extension SHOULD be designated as critical.
Ounsworth, et al. Expires September 9, 2019 [Page 10]
Internet-Draft PQ Composite Certs March 2019
If a CRL contains a mixture of composite and traditional certificates
then it SHOULD be designated as non-critical.
If the Revoked Algorithms extension is present in a CRL, then a
client performing a certificate validation on an otherwise non-
revoked certificate within the scope of that CRL MUST skip any
signatures corresponding to a revoked algorithm; thus a certificate
is valid only if it would have been valid had those Algorithm IDs and
Signature Values been omitted from the certificate.
Once a algorithm has been marked as revoked on a given CRL, it MUST
remain revoked on subsequent CRLs.
_EDNOTE: Is there corresponding wording about cert serial numbers on
CRLs from RFC5280? Or is this unnecessary implied?_
Note that a similar mechanism could be used on a per-certificate
basis via CRL Entry Extensions, however the authors believe that
giving operators the ability to perform partial revocation of a
certificate (ie revoking some keys or signatures but leaving the
certificate as a whole valid) will greatly increase the complexity of
certificate validation routines, thus increasing the chance of both
human error, and implementation bugs leading to vulnerabilities,
without providing a commensurate amount of increased functionality.
By not defining a new CRL Entry Extension, the following requirement
is implied: if any key within a certificate warrant revocation, the
entire certificate MUST be revoked using the existing revocation
mechanisms (this does not apply when the algorithm is globally
revoked for the entire scope of this CRL).
6.6.1. Implicit Revocation
A Composite Signature Algorithm is considered to be "implicitly
revoked" if the certificate is otherwise valid but one of the
following conditions are met.
o A certificate using a single-key algorithm which is revoked within
the scope of its CRL. In this case, signature verification SHOULD
fail when performed by a compliant client, but of course will
succeed when performed by a legacy client which is not aware of
this CRL extension.
o All of the component algorithms are revoked within the scope if
its CRL. In this case, signature verification MUST fail when
performed by a compliant client, regardless of which verification
algorithm is used.
Ounsworth, et al. Expires September 9, 2019 [Page 11]
Internet-Draft PQ Composite Certs March 2019
At the time of an algorithm revocation, a certificate authority MAY
revoke certificates meeting one ofd the above criteria (by placing
them in the traditional "revokedCertificates" list) with a revocation
reason of "keyCompromise". OCSP responders SHOULD designate a
certificate as revoked if it meets the above condition.
7. New Algorithm Identifiers
_EDNOTE: This subsection will define the OIDs for the initial
composite algorithm combinations we want to define. These are the
OID that Section 10 will ask for IANA to assign._
8. In Practice
_EDNOTE: This section will talk about practical issue of how these
certificates will be used. For example it will talk about the size
of these certs and cert chains. It will explain that if a cert in
the chain is a Composite cert then the whole chain needs to be of
Composite Certs. It will also explain that the root CA cert does not
have to be of the same algorithms. The root cert SHOULD NOT be
transferred in the authentication exchange to save transport overhead
and thus it can be different than the intermediate and leaf certs.
It will talk about overhead (size and processing). It will also
discuss backwards compatibility. It could include a subsection about
implementation considerations._
9. Implications for existing standards
9.1. RFC 2986
_EDNOTE: summarize the updates to RFC 2986 (CSR / PKCS#10)._
9.2. RFC 5280
_EDNOTE: summarize the updates to RFC 5280 (X.509)._
9.3. Cryptographic protocols
This section talks about how protocols like (D)TLS and IKEv2 are
affected by this specifications. It will not attempt to solve all
these problems, but it will explain the rationale, how things will
work and what open problems need to be solved. Obvious issues that
need to be discussed.
o How does the protocol declare support for composite signatures?
TLS has hooks for declaring support for specific signature
algorithms, however it would need to be extended, because the
client would need to declare support for both the composite
Ounsworth, et al. Expires September 9, 2019 [Page 12]
Internet-Draft PQ Composite Certs March 2019
infrastructure, as well as for the various component signature
algorithms.
o How does the protocol use the multiple keys. The obvious way
would be to have the server sign using its composite public key;
is this sufficient.
o Overhead; including certificate size, signature processing time,
and size of the signature.
o How to deal with crypto protocols that use public key encryption
algorithms; this document only lists how to work with signature
algorithms. Encoding composite public keys is straightforward;
encoding composite ciphertexts is less so - we decided to put that
off to another draft.
10. IANA Considerations
_EDNOTE: This section will include content only if new OIDs or IANA
codepoints are assigned for it._
11. Security Considerations
_EDNOTE: This section includes the Security Considerations._
o CA implementations need to be careful when checking for
compromised key reuse, for example as required by WebTrust
regulations; unpack the CompositePublicKey structure and compare
individual keys.
o The corresponding multi-key encryption routine is considerably
more prone to implementation errors that will result in a
catestrophic loss of security, as compared with the signature
algorithms specified in this document.
12. Appendices
12.1. Intellection Property Considerations
The authors claim no IPR associated with any of the content of this
draft.
12.2. Comparison with draft-truskovsky-lamps-pq-hybrid-x509
_EDNOTE: This section will explain the differences from . IPR Claims
should be mentioned here if necessary. Other things to consider are
the things like simplicity and format, inadvertnt implementation
errors, algorithm agility._[I-D.truskovsky-lamps-pq-hybrid-x509]
Ounsworth, et al. Expires September 9, 2019 [Page 13]
Internet-Draft PQ Composite Certs March 2019
13. Contributors
This document incorporates contributions and comments from a large
group of experts. The Editor would especially like to acknowledge
the tireless dedication of the following people, who attended many
long meetings and generated millions of bytes of electronic mail over
the past 3 years months in pursuit of this document:
We are grateful to all, including any contributors who may have been
inadvertently omitted from this list.
14. Acknowledgenents
_EDNOTE: this section include all those that need to be acknowledged
in the draft_
15. References
15.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
DOI 10.17487/RFC2986, November 2000,
<https://www.rfc-editor.org/info/rfc2986>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
15.2. Informative References
[I-D.pala-composite-crypto]
Pala, M., "Composite Public Keys and Signatures", draft-
pala-composite-crypto-00 (work in progress), February
2019.
Ounsworth, et al. Expires September 9, 2019 [Page 14]
Internet-Draft PQ Composite Certs March 2019
[I-D.truskovsky-lamps-pq-hybrid-x509]
Truskovsky, A., Geest, D., Fluhrer, S., Kampanakis, P.,
Ounsworth, M., and S. Mister, "Multiple Public-Key
Algorithm X.509 Certificates", draft-truskovsky-lamps-pq-
hybrid-x509-01 (work in progress), August 2018.
Authors' Addresses
Mike Ounsworth
Entrust Datacard Limited
1000 Innovation Drive
Ottawa, Ontario K2K 1E3
Canada
Email: mike.ounsworth@entrustdatacard.com
Serge Mister
Entrust Datacard Limited
Email: serge.mister@entrustdatacard.com
John Gray
Entrust Datacard Limited
Email: john.gray@entrustdatacard.com
Scott Fluhrer
Cisco Systems
Email: sfluhrer@cisco.com
Panos Kampanakis
Cisco Systems
Email: pkampana@cisco.com
Ounsworth, et al. Expires September 9, 2019 [Page 15]