search

openpgp-pqc / draft-openpgp-pqc

Repository of the WIP draft-ietf-openpgp-pqc
Other
8 stars 2 forks source link

Cross-protocol domain separation for signatures #137

Closed falko-strenzke closed 1 week ago

falko-strenzke commented 2 months ago

This goes back to a suggestion by Mike Ownsworth:

Since it cannot be excluded that a user uses his keys across multiple protocols, we should introduce domain separation for signatures. This can be achieved by setting the ctx parameter of ML-DSA or SLH-DSA to a protocol-specifc value like "OpenPGP signature".

The problem will most likely be the lack of support to set the context parameter in the API of crypto libraries.

TJ-91 commented 2 months ago

I'm in favor of this if this ends up being exposed by crypto APIs.

I've even searched for "openpgp import x509 key" and found some explanations how you can manually convert your x.509 key to an OpenPGP key with openssl and gpg so it doesn't seem like an entirely theoretical concern.

falko-strenzke commented 2 months ago

It's especially not theoretic concern if people reuse their keys on a hardware token.

br-hale commented 2 months ago

Including domain separation through a label such as 'OpenPGP signature' would be very useful. This does not make such a combiner specific to the OpenPGP WG though - I would like to see a generic combiner through CRFG that can use such labels as 'OpenPGP signature' and potentially others as needed, vs several slightly different drafts for parallel combiners across WGs.

falko-strenzke commented 1 month ago

Including domain separation through a label such as 'OpenPGP signature' would be very useful. This does not make such a combiner specific to the OpenPGP WG though - I would like to see a generic combiner through CRFG that can use such labels as 'OpenPGP signature' and potentially others as needed, vs several slightly different drafts for parallel combiners across WGs.

I am not sure what you are referring to here as the "combiner". We essentially just concatenate two signatures. Accordingly, I don't see a construction which could potentially be aligned with other WGs.

br-hale commented 1 month ago

Please read https://datatracker.ietf.org/doc/draft-ietf-pquip-pqt-hybrid-terminology/ for combiner definition.

wussler commented 1 week ago

We decided to tackle this in #147 by adding some guidance, since other protocols seem not to have implemented any domain separation