►
From YouTube: IETF-LAMPS-20220919-1300
Description
LAMPS meeting session at IETF
2022/09/19 1300
https://datatracker.ietf.org/meeting//proceedings/
A
A
A
After
that,
this
slide
is:
is
changes
discussions
on
the
list,
Friday
we're
going
to
talk
about
the
hashland
sign
issue
with
post
Quantum
signatures
and
then,
if
there's
time
left
we're
going
to
talk
about
the
and
a
status
update
on
CMP,
the
two
rfcs
that
are
being
updated
there
so
because
of
the
slide
issue,
we're
going
to
start
with
the
pthcs12
presentation.
While
we
try
and
sort
out
the
slides
for
the
CMS
presentation
before
we
go
any
further,
though,
of
course
we
need
a
note
taker
as
anyone
willing
to
do
that.
A
A
C
C
C
The
purpose
of
the
file
format
is
to
transfer
private
key
certificates,
secrets
and
extensions.
The
specification
is
in
RFC
7
to
92..
There
are
a
lot
of
implementations.
The
primary
ones
that
we
are
interested
in
are
in
open,
SSL
and
accessible
to
TLs,
but
there
are
also
a
lot
of
of
implementations
in
Windows
in
by
a
lot
of
Hardware
implementations
in
Network
appliances
and
so
on,
and
so
forth,
more
or
less
interoperable.
C
Basically,
the
only
interoperable
file
format
that
works
for
both
our
windows
and
Linux
environments.
The
file
format
itself
has
a
very
extensive
structure,
but
on
the
top
level
there
is
technically
just
three
Fields
the
version
the
outsafe,
which
is
the
list
of
items
which
are
inside
the
the
file
for
the
the
file
itself.
And
then
there
is
the
Mac
data,
which
is
working
as
the
Integrity
protection
for
the
whole
file.
C
What's
important
is
that
Mac
data
specifies
just
the
digest
that
is
used
for
the
Mac
protection,
the
the
salt
used
for
that
hmac
derivation
and
the
iteration
count
that's
used
for
the
for
the
key
derivation,
while
some
implementations
allow
omission
of
the
mark
as
this
as
the
a71
specifications
here
shown.
Does.
C
Most
of
them
actually
are
quite
iffy
on
that
Mark
generation
itself
is
specified
in
appendix
B
of
the
RFC,
and
there
already
is
a
specification
that
this
this
like
when
you
choose
with
with
password
the
key
derivation
is
not
recommended
and
it
should
be
duplicated
for
a
new
usage
one.
So
well,
while
we
already
had.
C
C
So
our
intentions,
we
want
to
have
an
up-to-date
standard
that
allows
use
of
new
and
current
derivation
functions.
We
want
fips
compliance.
We
also
want,
as
far
as
possible
backwards
compatibility
so
that
those
files
would
be
readable,
at
least
partially
by
old
implementations,
and
also
we
want
that
implementations
to
be
easy
to
to
do
since
we
need
to
implement
it
in
multiple
libraries
and,
and
so
so,
the
the
ease
of
implementation
is
important.
C
So
the
proposal
we
want
to
do
is
to
prep
to
preserve
the
existing
high
level
pkcs12
structure
and
additionally,
permit
the
use
of
the
ID
PB.
Mark
1
object
identifier
as
a
valid
type
for
the
digest
algorithm.
So,
instead
of
specifying
as
a
hash
algorithm,
it
would
specify
just
the
PB
Mac
one
as
the
as
the
hash
itself,
then
we
would.
C
While
for
the
pkcs12
structure
itself,
the
max
out
and
iteration
values
would
be
completely
ignored,
since
those
are
while
they
make
sense
for
for
use
with
pbk
df2,
they
don't
make
sense
for
a
script
or
for
argon2
like
those
those
use,
much
more
advanced
and
more
complex
parameters
to
to
work.
So
we
would
need
to
completely
ignore
them
to
make
for
interoperability.
The
upside
for
this
proposal
is
that
pvmark
is
quite
easy
to
implement,
uses
exactly
the
same
key
derivation
functions
as
already
deployed
bulk
encryption
ciphers
so
like.
C
C
We
also
already
have
a
very
widely
deployed
implementations
that
will
be
able
to
extract
the
private
keys
and
certificates
from
files
that
use
ppmac
1,
just
by
telling
them
to
skip
the
Mac
verification.
So
you
can
use
openssl,
probably
like
even
098
or
and
definitely
101,
that
that's
the
one
all
this
one
I've
actually
tested
that
will
allow
you
to
read
the
file
by
specifying
just
to
open
SSL,
ignore
Mac
verification
and
then
you'll
be
able
to
verify
like
extracted
their
private
keys
and
certificates.
C
C
Now
the
alternative
that
was
proposed
on
the
mailing
list
was
to
use
aesccm.
Now
the
problems
are
that
I'm
not
aware
of
any
implementation
of
that
inside
pkcs12.
None
of
the
widely
deployed
libraries
that
we
actually
use
supported.
So
none
of
the
open,
SSL
green
tls's,
Java
Windows,
as
as
Windows
implementation,
I'm,
not
aware
of
them
supporting
them.
That
would
also
be
the
very
first
aad
Cipher
in
pkcs12,
so
that
would
require
a
very
new
and
potentially
complex
code.
C
This
is
also
not
a
wildly
used
Cipher,
so
anyone
that
would
need
would
want
to
use
it
in
kcs12
would
need
to
implement
it
verify
and
in
some
cases,
also
certify,
since
we
wanted
to
flip
certification
that
would
that
for
some
implementations
that
would
require
another
Cipher
to
certify.
Finally,
there
is
no
clean
way
to
handle
as
CCM
together
with
hmac.
If
we
live
and
live
in
the
Legacy
Mark
in
the
file,
then
the
straight
flip
compliance
will
be
problematic.
Since
then,
you
cannot
derive
the
keys
necessary
for
hmac.
C
So
the
specification
is
on
data
records.
The
draft
carrier
pkcs12
PB,
Mach
1.
There
is
GitHub
also
with
the
source
code,
for
that
would
have
a
quick
and
delete
implementation
of
open
SSR
in
openssl,
and
if
the
draft
is
actually
adopted
by
the
work
group,
we
will
provide
a
full
implementation
for
openssl,
nucleus
and
NSS.
That's
the
absolute
minimum.
We
also
will
be
pushing
for
open
jdk
support.
If
you
would
like
to
look
at
the
file
itself,
you
can
download
it
for
also
from
GitHub,
and
the
password
is
one
two
three
four.
C
So
first
question
is
from
Tim
Hall,
big
sorry,
if
I'm
mispronouncing,
the
fifth
compliance
problem,
is
the
use
of
absolute
algorithms
correct.
The
problem
is
that
the
key
derivation
function
is
not
approved
for
fips
use
and
we
want
to
use
pbktf
2
for
the
key
derivation
function
so
that
it's
effect
compliant.
B
C
A
E
A
G
A
A
A
A
A
A
H
H
A
H
H
So
basically
the
algorithm
is
defined
in
this
slide,
so
we
will
first
generate
a
ciphertext
and
the
shared
secret
thanks
to
the
cam
algorithm
then
derive
the
shared
secret
thanks
to
the
kdf
and
finally
use
the
key
encryption
key
obtained
from
the
kdf
as
the
encryption
key
for
a
symmetric
algorithm,
the
wrapping
algorithm
that
will
bring
then
confidentiality
and
integrity,
and
so
the
decoration
mechanism
is
described
here.
So
it's
the
opposite,
so
it
works
obviously,
and
so
they're
in
CMS
we
will
use.
H
We
propose
to
use
the
the
the
recipient
for
type
and
to
set
it
to
a
key
trends
recipient
recipient
info
and
to
set
the
following
values.
In
the
key
trans
recipient
info,
I
mean
we
will
set
the
the
algorithm
to
oid
IDK
Trends,
which
will
be
the
cam
trans
mechanism
and
then
set
the
algorithm
parameters
of
type
generic
hybrid
parameters.
H
Well,
let's,
let's
hit
basically
and
so
I
just
made
a
few
updates.
According
to
the
comments
made
during
last
meeting.
So
especially,
there
was
a
discussion
about
the
kdf
which
can
be
useless
if
the
cam,
for
instance,
outputs
a
key
of
the
correct
size
to
feed
the
the
symmetric
algorithm.
So
in
the
racer
really
clarified
that
this
kdf
can
be
the
identity
algorithm.
H
If
we
want
to
skip
it
and
the
other
date
was
to
make
sure
that
this
RFC
proposal
is
aligned
with
the
RSC
9000
180,
which
describes
the
hybrid
the
encryption
mechanisms.
So
basically
it's
the
same
principle
which
is
proposed
in
this
RFC,
meaning
that
it's
a
combination
of
the
free
algorithm,
chem,
kgf
and
and
the
symmetric
algorithm.
H
H
Maybe
that's
up
to
discussions
and
as
well
for
the
choice
of
kdf
of
the
web
algorithm.
Should
we
limit
them
or
should
we
be
I,
mean
quite
open
on
the
choice
of
the
kdf?
Should
we
use
well,
she
sha
free
or
kdf
base,
or
maybe
that's
still
open.
So
if
you
have
any
suggestions,
I
will
be
glad
to
get
them
and
incorporate
them
into
the
into
a
diversity.
So
that's
it
for
this
update.
So
please,
if
you
have
any
questions
suggestion
please.
A
H
F
H
Yeah,
that's
I
agree,
but
the
only
point
is
you
know
that
in
the
nice
competition
there
is
another
new
round
that
has
been
opened
for
key
encapsulation
mechanism.
So
maybe
for
the
time
being
Skybar,
but
maybe
in
a
few
years
it
could
be
changed
or
at
least
a
update
or
enhanced.
So
maybe
that's
quite.
F
Yeah
I
think
I.
Definitely
don't
want
to
get
out
ahead
of
our
ahead
of
our
skis,
as
some
people
would
say
to
be
specifying
things
in
advance
of
what
Nest
is
picked.
So
I
would
just
go
with
the
ones
that
have
been
actually
selected
and
then,
when
they
come
around,
if
they
pick
another
version
with
two
or
four
or
just
one
other
one,
then
we
can
update
the
specification.
Do
that
there's.
A
I
I
would
also
observe
that
if
we
take
the
approach
where
we're
using
key
trans,
then
you
really
all
you're
doing
is
specifying
the
conventions
for
using
kyber
at
the
three
levels.
And
so
when
another
one
comes
along,
we
can
write
a
similar
one.
That
specialized
specifies
the
conventions
for
using
that
one
with
key
trans
go
ahead.
Yuri.
D
First
first
I
think
it's.
There
is
some
a
confusion,
because
Nest
doesn't
open
fourth
round
for
the
key
encapsulation
mechanisms.
Maybe
unless
there
is
a
breakthrough
and
something
with
many
times
smaller
key
size
and
adequate
performance
comes
up
which
is
rather
unexpected.
So
we
can
probably
assume
that
key
encapsulation
mechanism
remains
what's
selected,
specifically
kyber.
D
Open
question
is
what
to
do
with
the
kdf
on
the
chat.
The
argument
is
that
one
of
the
reasons
to
use
kdf
is
to
deal
with
the
key
size
mismatch
with
symmetric
key
size.
Mismatch,
that's
a
valid
argument.
I
do
not
think
we
need
kdf
for
strength.
I
would
not
argue
for
using
it
for
size
matching,
though
again
I
find
it
a
rather
expensive
older.
G
I
G
Yeah
kill
myself
the
response
to
Yuri
in
chat
so
yeah,
the
kdf
was
there
I
think
you
know
super
conservatively
in
case.
You
know
people
end
up
wanting
to
put
non-nist
chems
here
that
don't
have
that
that
property
that
you
can
just
use
their
shared
secret
directly
as
a
symmetric
key.
You
know
there
have
in
the
past,
been
chems
that
didn't
have
that
property
I.
Suppose.
G
A
D
I
I
wanted
to
say
that
a
of
the
old
case
camps
that
did
not
have
the
necessary
properties,
probably
shouldn't
be
considered
here,
hopefully
we'll,
learn
something
since
and
second
making
the
requirements
explicit
would
easily
deal
with
this
issue.
You
would
just
look
at
the
hash,
for
example,
and
say:
wait
a
bit.
We
require
hash
that
does
not
have
obvious
collisions.
D
E
E
So
the
first
option
is
to
make
the
k
256
bits
for
all
two
or
three
cam
options,
or
on
this
could
or
we
or
we
could.
Could
you
know,
make
the
the
length
of
K
depending
on
the
strengths
that
we're
targeting,
for
example,
if
level
one
we're
thinking
about
AES
128,
so
we
could
make
the
cam
only
128
bits
or
you
know
we
yeah,
as
you
said,
so
there
are
two
options
there
and
that's.
A
second
comment
is
that
they
got
into
the
choice
of
the
PDF.
E
E
So
there
are
two
choices
there,
I
don't
know.
Which
way
is
the
right
way
to
go
and
the
third
one
is
you're
going
to
the
choice
of
rap
I'm,
not
sure
if
I
get
all
the
the
understanding,
the
the
need
for
the
wrap
here,
because
with
the
camera
long,
basically,
you
can.
You
know
both
sides
and
can
get
and
get
the
secret
key
without
needing
a
wrap.
H
E
And
the
thing
is
the
the
recipients
must
do
a
decryptions,
the
bka
decryption
and
then
a
bka
encryption
to
check
to
make
sure
you
know
the
the
legitimate
ciphertext
were
received.
There
is
a
chance
of
failure,
but
that
failure
probability
is
extremely
low,
like
like
two
to
the
two
to
the
minus
one
50
or
something
like
that.
That's
it's
like
it's
practically
zero,
so
so
I'm
not
sure
if
we
still
one
type
of
wrap
in
there
or
not.
E
H
A
G
Okay,
I'll
try
and
keep
this
brief,
so
that
Hendrick
has
time
to
speak
about
the
team.
Here,
it's
more
urgent
briefly.
This
is
a
land
mine
that
we
discovered
in
the
pqc,
the
Sphinx,
the
lithium
Falcon.
We
sort
of
stumbled
with
this
laminate
a
couple
weeks
ago.
I
know
we're
not
the
first
people
to
stumble
and
do
it,
but
you
know
we
decided
to
make
noise
about
it.
G
G
Put
a
few
examples:
every
Network,
which
are
some
similar
example,
latency,
symptoms,
processing,
variable
size
messages,
blah
blah
blah
and
I
put
golang
here
as
an
example
just
to
show
how
certainly
ubiquitous
this
is.
The
ecdsa
interface
in
the
crypto
layer
expects
a
digest
that
digest
is
currently
performed
at
the
x509
or
TLS.
Or
what
have
you
layers
like?
This
is
a
just
sort
of
making
a
point.
This
is
a
very
well
established
pattern.
G
This
pattern
does
not
work
with
the
three
signature
schemes
that
we're
looking
at
Sphinx
style,
lithium
falcon.
It
does
not
work
because
each
of
these
algorithms
internally
begins
with
a
message
digest
step
that
is
prefixed
Within
nonce
and
in
the
case
of
randomized,
sphinx
and
Falcon.
That
knots
prefix
is,
is
a
rat
is
a
completely
random
number
chosen
at
signing
time
in
the
case
of
non-randomized,
sphinx
and
dilithium.
G
G
So
I
just
want
to
put
this
out
for
General
awareness
that
if
we
want
to
support
a
prehashed
mode
in
pkicks,
where
you're,
what
the
the
actual
message
you're
signing
is
short
and
compressed
and
digested,
then
we're
going
to
need
to
Define
that
envelope
format
at
the
pkx
layer
and
we'll
need
to
worry
about
its
security
properties.
Collision
resistance
contains
a
nods
blah
blah
blah.
We'll
need
to
worry
about
all
that
at
the
pkx
layer.
A
B
Church
comment
so
Mike.
Thank
thanks
for
doing
that.
You
know
thanks
for
trying
to
collect
the
data
and
I'm
not
I'm,
not
entirely
convinced
to
be
honest,
that
we,
you
know
that
the
prehash
fails
for
all
of
these
cases.
I
think
we
should
read
it
on
a
per
algorithm
basis
and,
in
my
opinion,
I
think
we
should
collect
all
the
arguments
against
it
because
I'm
not
sure
that
what
we're
hearing
so
far
are
practical
concerns.
B
You
know
there
are
cryptographic
theoretical
concerns
and
there
are
practical
concerns,
so
you
know
maybe
for
Falcon
there
are,
but
I'm
not
sure
there
are
for
Sphinx
and
die
lithium.
So
in
my
opinion
we
should
really
understand
the
counter
arguments
before
we
embark
on
a
trip,
and
thank
you
for
doing
that.
You
know
my
goal
is
to
have
to
try
to
understand
it.
A
little
better
foreign.
A
G
D
I
Okay,
thanks
for
getting
the
chance
to
give
a
brief
update,
just
one
slide:
early
August,
the
authors
of
CMP
updates,
including
Mike,
prepared
the
zero
zero
version
of
the
40
to
10
bits
and
67
12
bits,
which
is
mainly
the
original
RFC
text
and
then
the
zero
one
version
where
the
we
merged.
The
changes
specified
in
CMP
updates
into
the
documents,
and
then
we
did
it
did
a
review
and
provided
some
additional
editorial
changes
sorting
out
some
things.
I
We
came
across
while
reading
and
added
an
action
item
for
appendix
C
to
be
reviewed
more
closely
fixed
some
nits
and
we
came
across
the
topic
whether
this
is
now
a
good
point
in
time
to
also
add
support
for
cam
keys
in
4210
bits
and
yeah.
But
this
is
just
that
we
wanted
to
to
raise
this
issue
and
see
whether
there
is
any
feedback
or
support
for
this
activity.
I
Finally,
it
needs
to
be
added
to
proof
of
possession
as
well
as
message
protection
and
if
cam
algorithms
will
be
supported
in
CMS
envelope
data
in
key
trends,
then
we
have
the
support
already
covered
with
the
change
we
did
in
CMP
updates.
Switching
to
envelope
Depot
data
for
transferring
centrally
generated
keys.
A
I
F
No
I,
don't
that
seems
painful,
more
well
more
pain
than
I
really
want
to
endure.
Oh
yeah,
we'll
we'll
get
to
that
I
mean
my.
My
I
know
that
we've
already
had
some
internal
discussions
amongst
the
authors
about
the
motivations
in
which
way
we
would
do
it
and
I
think
there
were
some
other
people
that
sent
me
a
message
off
list.
That
said,
hey,
if
you
guys
are
going
to
do
this.
F
You
also
going
to
do
this
pop
thing
and
we
noted
that
we
had
this
discussion
and
they
provided
their
input.
So
I'm
sure
it'll
be
a
lively
discussion,
as
we
figure
out
which
one
of
the
ways
to
to
go
but
yeah
definitely
on
the
thing
and
I'm
also
hearing
put
this
higher
up
on
the
priority
list
and
can
do
so.
F
A
E
A
E
A
A
Yep
all
right,
if
that's
it,
we're
going
to
wrap
it
up
here.
Thank
you.
I
think
this
was
a
very
productive
hour
and
we
have
action
items
for
a
couple
document
call
for
adoptions
and
we'll
be
having
that
shortly
and
I
look
forward
to
further
list
discussion
on
the
topics
that
were
raised
by
Mike
all
right
have
a
great
day.
Thank
you.