LAMPS WG at IETF119 in Brisbane, QLD, AU

LAMPS WG Session #1

Time: Monday, 18 March 2024 at 15:00
Location: P3

Agenda bashing

With the IESG or the RFC Editor

draft-ietf-lamps-cms-kemri (John Gray)

draft-ietf-lamps-nf-eku (Tirumal, Jani, Daniel)

draft-ietf-lamps-pkcs12-pbmac1 (Hubert)

draft-ietf-lamps-x509-policy-graph (David B)

draft-ietf-lamps-header-protection (DKG)

draft-ietf-lamps-e2e-mail-guidance (DKG)

draft-ietf-lamps-rfc8398bis (Alexey, Wei, Corey)

draft-ietf-lamps-rfc8399bis (Russ)

draft-ietf-lamps-norevavail (Russ)

draft-ietf-lamps-rfc5019bis (Tadahiko)

draft-ietf-lamps-cert-binding-for-multi-auth (Alie, Rebecca, Mike)

draft-ietf-lamps-rfc4210bis/-rfc6712bis (Hendrik Brockhaus)

draft-ietf-lamps-rfc7030-csrattrs (Michael)

draft-ietf-lamps-dilithium-certificates (Sean)

draft-ietf-lamps-csr-attestation (Mike Ounsworth)

draft-ietf-lamps-rfc5990bis (Russ)

draft-housley-lamps-cms-sha3-hash (Russ)

draft-ietf-lamps-cms-kyber (Daniel Van Geest)

draft-ietf-lamps-cms-sphincs-plus (Russ)

draft-ietf-lamps-pq-composite-kem (Mike Ounsworth)

LAMPS WG Session #2

Time: Wednesday, 20 March 2024 at 15:00
Location: M2

draft-ietf-lamps-cms-cek-hkdf-sha256 (Russ)

Under consideration for adoption

CMC-bis: draft-mandel-lamps-rfc5272bis, draft-mandel-lamps-rfc5273bis, draft-mandel-lamps-rfc5274 (Joe Mandel)

Scott Fluhrer: Why "TLS 1.2" and not "1.3"?

Sean Turner: It is "1.2 or later", which is ok as per UTA BCP (BCP 195 /
RFC 9325).

Mike Ounsworth: Putting DER(OID) as a signature domain separator makes
this CMS-specific and therefore not re-usable across other protocols --
JOSE, COSE, etc.

Russ / Alexey: Nope. There is precedent for embedding OIDs inside, for
example PKCS#1. Other protocols just treat the DER-encoded OID as an
opaque octet string.

Composite ML-DSA for use in Internet PKI: draft-ounsworth-pq-composite-sigs

Sean Turner: Provide registry expert instructions to disallow MLS+NULL,
i.e., stop the silly.

Quynh: If you want to make the list smaller, I suggest taking out the
ML-DSA-65.

Jonathan Hammell: Do we need the RSA-PSS? The argument for including
them is old code; does any of that old code actually support PSS?

Guilin Wang: Why are there three hashes? The OID and M' could be hashed
once.

Scott: ML-DSA requires a hash with a specific prefix and that is
different than the yellow one.

Mike O: There are only two hashes. If you reduce it to one, you don't
get the non-separability property.

John Gray: Hashes are cheap.

Rohan Mahy: In many registries, there is a RECOMMENDED column. We could
introduce one here and mark a bunch of them as NOT RECOMMENDED.

Mike O: There was a RECOMMENDED column four drafts ago, but it was taken
out because CMS leaves the MUST and SHOULD statements to the protocol
that makes use of CMS. For example, S/MIME 4.0 uses CMS, and it makes
the MUST and SHOULD statements.

John Mattson: MLDSA-EdDSA uses SHAKE. Wouldn't it make sense to use
SHAKE?

Mike O: All the prehashes here are SHA2. We don't want SHA3 at this
level.

John Gray: At the crypto layer, it uses SHA3, but at the CMS layer we
are using SHA2.

Kris: Still unclear what the use case is for composites. Why not use
SLH-DSA?

Mike O: Even the biggest signature on this list is smaller and faster
than SPHINCS+.

John Gray: I learned in the OpenPGP WG the ML-DSA authors recommend
using ML-DSA in hybrid. That is what this is.

Poll: Should we do a call for adoption?

RESULTS: Yes (24), No (1), No Opinion (12).

When asked for an explanation, the "No" did not come to the mic.

Chairs will start an adoption call after the meeting.

Algorithm Identifiers for Hash-based Signatures: draft-gazdag-x509-slhdsa + draft-gazdag-x509-shbs (Stefan-Lucas Gazdag)

Russ: Please indicate whether you would like to support adoption in the
mail thread on the list:
https://mailarchive.ietf.org/arch/msg/spasm/ueD9NVydcLV_8m05PTljCNDYM6c/

EKU for Instant Messaging URIs: draft-mahy-lamps-im-keyusage (Rohan Mahy)

Russ: Any objection to defining an EKU for IM?

Result: No objections

Russ: Will start adoption call on list.

Nonce-based Freshness for Remote Attestation in CSRs for CMP & EST: draft-tschofenig-lamps-nonce-cmp-est (Hannes Tschofenig)

Mike StJohns: Think about how are you going to carry a nonce in the CSR.
It may not be something kept around.

Hannes: In the hackathon, there was a question of DoS resistance. You
need to keep the state around, keeping a mapping between a session and
verifier. DoS mitigation techniques, e.g. tickets, exist.

Sean Turner: Why didn't you support CMC? Would you be willing to accept
text?

Hannes: Absolutely.

Sean Turner: Don't need a mandatory-to-implement (MTI). I support
adoption.

Dan Harkins: In EST, the challenge password is from the TLS
establishment. Why is that not fresh enough? Why do you need a nonce?

Hannes: It comes from a different party.

Dan Harkins: You could put the nonce in the CSR attributes.

Hannes: We use a different approach in the -00. In the hackathon, it
didn't work well to open the messages. So switched to an independent
message approach. Also added a hint. RATS architecture document explains
some of the considerations. Open to suggestions of a better place to put
it.

Hendrik Brochaus: We started with the overloading of the CSR attributes,
but it is interesting for the RA to know the evidence and some info may
be needed from the end-entity. That motivated the change to the response
message.

Muhammad Usama Sardar: Will the draft be limited to TPM and Arm PSA? In
confidential computing context, we don't have trusted time and this
would be very useful. Is that out of scope? Is there something in the
implementation which cannot be carried over to Trusted Execution
Environments?

Hannes: The two examples are just illustrations. Should work fine on
other attestation technologies.

Ned Smith: Does this draft define how the nonce flows from the verifier
to the CA? Is that in scope?

Hannes: So far, it hasn't been included. Naively, it might be defined in
RATS.

Chairs: Issue call for adoption!

Dan Harkins: Do we need some kind of signal to indicate who the nonce
should come from?

Hannes: Didn't get an answer from RATS, but it used a hint. The attester
has some API that is uses to talk to the system.

Mike O.: It's already there!

Mike StJohns: You don't need to have the RP request the nonce from the
verifier.

Mike O: (on behalf of Carl Wallace in chat): The Hint is in the nonce
request, and then again in the Evidence / CSR. It could also be in the
Response so that the Attester can simply echo it into the Evidence and
does not need to keep state.