Liaison statement
LS on ITU-T SG17 work on quantum-safe PKI

State Posted
Posted Date 2017-09-13
From Group ITU-T-SG-17
From Contact Jean-Paul Lemaire
To Groups ipsecme, lamps
To Contacts David Waltermire
Tero Kivinen
Russ Housley
CcDavid Waltermire
IP Security Maintenance and Extensions Discussion List
itu-t-liaison@iab.org
Limited Additional Mechanisms for PKIX and SMIME Discussion List
Russ Housley
Scott Mansfield
Kathleen Moriarty
Tero Kivinen
Eric Rescorla
Response Contact jean-paul.lemaire@univ-paris-diderot.fr
Purpose For information
Attachments sp16-sg17-oLS-00068
Body
ITU-T Study Group 17 is pleased to inform you that in our August/September 2017
meeting we agreed to start work on the inclusion of a proposal to include
optional support for multiple public-key algorithms in Recommendation ITU-T
X509 | ISO/IEC 9594-8.

The industry is preparing ICT systems to be resistant to attacks by large-scale
quantum computers in addition to more sophisticated attacks by conventional
computing resources. Proposed was an optional feature to the X.509 certificate
that provides a seamless migration capability to existing PKI systems, and is
completely backwardly compatible with existing systems.

While public-key key establishment algorithms are typically negotiated between
peers and are generally fairly simple to update, the authentication systems
typically rely on a single digital signature algorithm which are more difficult
to update. This is because of the circular dependency between PKI-based
identity systems and the dependent communication protocols. In order to update
a PKI system, one would typically need to create a duplicate PKI system that
utilizes a new digital signature algorithm and then migrate all the dependent
systems one by one.

This proposal eliminates the need to create such duplicate PKI systems by
adding optional extensions to contain alternate public key and alternate
signature, and a method for the CA to sign certificates using a layered
approach to ensure that every attribute is authenticated by both signatures.
The resulting certificate, while containing new quantum safe public key and
signature, can still be used by existing systems relying on the classic public
key and signature.