x509 hybrid format support coming?

[abord-th]

In order to use PKI vendor to generate x509 certificate, and in order to not only rely on OQS lib for that, when Open SSL provider will support hybrid certificate format (https://pkic.org/pqccm/ ) ?

[baentsch]

Thanks for the statement of interest in this feature. This may be added by the community as the interest for this intensifies.

in order to not only rely on OQS lib for that,

This statement in your question lets me wonder whether you are aware of someone having implemented hybrid certs using liboqs in some other software? Maybe such software team may be interested to contribute this to the project? A PR would certainly be welcome.

[danvangeest]

The hybrid certificate that you're referring to requires modifications at the x509 certificate generation/parsing level. You need a modified OpenSSL, not an OpenSSL provider with special support. The provider just provides the algorithms used in the hybrid certificate but is not aware of of the certificate format. The hybridization refered to by the "hybrid certificate" is not a hybridization of algorithms, each algorithm is used independently, which is why the provider doesn't need to be updated.

[baentsch]

Thanks for that deeper assessment @danvangeest . I do recall some X509 "twisting" when fully enabling X509 support -- your take is then that things like these (dangerous as they are) cannot be extended to support hybrid certs? If not, are you aware of OpenSSL looking into this (unlikely as it doesn't seem to be a finalized standard)?

[danvangeest]

@baentsch, that's right, they can't be extended for hybrid certs. The hybrid cert uses a SubjectPublicKeyInfo in an x509 extension. So as long as the provider can already encode/decode to an SPKI it doesn't need any changes. I'm not aware of OpenSSL looking into this, I work on a (private) fork which implements it. Those alternative extensions from the draft are already defined in ITU-T X.509-2009, so they are standardized in certificates and CRLs at least, though not CSRs and other x509-adjacent standards.

[abord-th]

THALES GROUP LIMITED DISTRIBUTION to email recipients OK, got it, thxs. Then, in order to keep a given PKI vendor that is not implementing composite certificate, would it be possible to keep a classic certificate (no PQC ; current x509 format), and have PQC implemented/provided, only for key exchange (ML_KEM+ECC)? We would be protected against 'harvest now, decrypt later' (confidentiality) threat, which is in most of the case the main current threat (vs authentication threat) From: Daniel Van Geest ***@***.***> Sent: lundi 26 août 2024 13:16 To: open-quantum-safe/oqs-provider ***@***.***> Cc: BORD Anthony ***@***.***>; Author ***@***.***> Subject: Re: [open-quantum-safe/oqs-provider] x509 hybrid format support coming? (Discussion #501) The hybrid certificate that you're referring to requires modifications at the x509 certificate generation/parsing level. You need a modified OpenSSL, not an OpenSSL provider with special support. The provider just provides the algorithms used in the hybrid certificate but is not aware of of the certificate format. The hybridization refered to by the "hybrid certificate" is not a hybridization of algorithms, each algorithm is used independently, which is why the provider doesn't need to be updated. - Reply to this email directly, view it on GitHub<#501 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BKZD6UMJDE3UWWGNFAVOR63ZTMFARAVCNFSM6AAAAABNDSBKMGVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTANBVGA2TQMY>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

[baentsch]

Then, in order to keep a given PKI vendor that is not implementing composite certificate, would it be possible to keep a classic certificate (no PQC ; current x509 format), and have PQC implemented/provided, only for key exchange (ML_KEM+ECC)?

Yes. In addition it should be possible to use a pure PQC cert (ML-DSA, say) without breaking X509 (structural) compatibility. KEMs (plain PQ, plain classic or hybrid) are a completely orthogonal/independent concept, code and data structure within the provider.

[baentsch]

OK to close @abord-th ?