LAMPS

Summary

The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working Group met at IETF 125 to review the status of active documents, discuss new proposals for adoption, and coordinate cross-working group efforts regarding remote attestation and post-quantum cryptography. Key highlights included the successful adoption of the "One Signature Certificates" draft, updates on composite ML-KEM for CMS and X.509, and a decision regarding the venue for attestation-related EKU definitions.

Key Discussion Points

1. Document Status and Chair Introduction

Presenter: Russ Housley Slides: Chair Introduction

The chairs noted that several documents have recently moved to the RFC Editor's queue or have been published, including the CRL key usage validation and MAC address EKU drafts.
The composite signature documents are currently with the IESG.

2. Certificate Discovery

Presenter: Corey Bonnell Draft: draft-ietf-lamps-certdiscovery Slides: draft-ietf-lamps-certdiscovery

Updates: David Hook was added as a co-author. The term "purpose" was changed to "intent" to avoid confusion with existing PKI terminology.
Hackathon Results: John Gray and Corey Bonnell reported successful interoperability testing between two independent implementations during the hackathon.
Discussion: Falco raised questions regarding the agility aspects of the extension in synchronous protocols. Corey Bonnell clarified that the primary use case is discovering alternative certificates (e.g., an ML-DSA key when only an RSA key is known) for future operations.

3. Composite ML-KEM (X.509 and CMS)

Presenter: Daniel Van Geest Drafts: draft-ietf-lamps-pq-composite-kem and draft-ietf-lamps-cms-composite-kem Slides: pq-composite-kem AND cms-composite-kem

X.509 Status: The draft is stable. Authors are updating the reference to the recently published security proof paper before submitting it to the IESG.
CMS Discussion: The draft proposes HKDF with SHA-256 and AES-256-WRAP for interoperability. Victor objected to "strict security level alignment" (locking specific AES sizes to specific KEM sizes), arguing it reduces robustness and interoperability. Scott Fluhrer argued for simplicity, suggesting a single strong cipher (AES-256) is sufficient for all variants.
Decision: Daniel Van Geest will update the draft to clarify that while certain algorithms are required for interoperability, others are permitted, and will remove the prescriptive rationale for level-matching.

4. Best Practices for Signed Attributes in CMS

Presenter: Daniel Van Geest Draft: draft-ietf-lamps-cms-euf-cma-signeddata Slides: Best Practices for Signed Attributes in CMS SignedData

Updates: Added a new mime-data content type. Recommendations now advise against using id-data for new CMS applications.
Security Considerations: Falco contributed text regarding collision resistance and the independence of modern signature schemes.
Discussion: Victor suggested adding guidance to ensure the message digest in signed attributes matches the digest used in the signature algorithm (specifically for RSA). Victor committed to providing text for this.

5. Attestation Key EKU

Presenter: JP Slides: Attestation Key EKU

Proposal: A new EKU for attestation keys to replace or supplement existing TPM/DICE EKUs.
Discussion: Mike Ounsworth expressed concern that the draft was too specific to the RATS (Remote ATtestation ProcedureS) architecture. Mike StJohns and Richard argued that since the EKU is specific to a RATS data format, it should be defined within the RATS Working Group rather than LAMPS.
Decision: The group reached a consensus that the EKU definition should move to the RATS Working Group. The authors will coordinate with the LAMPS designated experts to obtain OIDs in the appropriate arc.

6. One Signature Certificates

Presenter: Russ Housley (on behalf of Stefan Santesson) Draft: Not yet on IETF list (Adoption call concluded) Slides: One Signature Certificates

Context: Certificates intended for a single signature use, where the private key is destroyed immediately after use.
Discussion: A debate occurred regarding the use of the "Private Key Usage Period" extension. Sean Turner and Russ Housley agreed that resurrecting this deprecated extension might cause confusion. Victor and Corey Bonnell discussed whether the certificate should have a long validity (9999) or match the CA's expiry; the group leaned toward the "evergreen" approach.
Decision: The adoption call was successful. The draft will proceed as a LAMPS working group item.

7. FrodoKEM in PKI and CMS

Presenters: Valery Smyslov and Meiling Slides: Algorithm Identifiers for FrodoKEM and FrodoKEM-in-CMS

Technical Issue: Discussion on whether to include "eFrodo" variants. Scott Fluhrer advised dropping eFrodo due to multi-target attack vulnerabilities and negligible performance benefits over standard FrodoKEM.
Procedural Issue: Russ Housley noted a charter constraint: LAMPS can only adopt PQ algorithms approved by NIST or vetted by the CFRG. The FrodoKEM document in CFRG is currently stalled.
Decision: These documents are on hold until the CFRG FrodoKEM specification makes progress.

Decisions and Action Items

Adoption: draft-santesson-one-sig-cert (now a WG item) was adopted.
Transfer: The Attestation Key EKU work will be moved to the RATS WG.
Reference Update: Authors of draft-ietf-lamps-pq-composite-kem to update the security proof reference for submission to the IESG.
Action Item: Victor to provide text for draft-ietf-lamps-cms-euf-cma-signeddata regarding digest matching for RSA.
Action Item: Mike Ounsworth to provide an update/slides for draft-ietf-lamps-csr-attestation following the design team's recent churn.

Next Steps

Start Working Group Last Call (WGLC) for draft-ietf-lamps-cms-composite-kem once the algorithm alignment text is clarified.
Start WGLC for draft-ietf-lamps-cms-euf-cma-signeddata following the next update.
Monitor CFRG progress on FrodoKEM before proceeding with LAMPS FrodoKEM drafts.

Automatic IETF Minutes