Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove unmanaged KEM OIDs #522

Merged
merged 5 commits into from
Oct 4, 2024
Merged

Remove unmanaged KEM OIDs #522

merged 5 commits into from
Oct 4, 2024

Conversation

baentsch
Copy link
Member

Fixes #520

@baentsch baentsch requested review from a team, bhess and SWilson4 September 16, 2024 06:53
@dstebila
Copy link
Member

Do we have any idea of who might be using this functionality? For example, the IETC PQC certificate hackathon group? If so, would be good to know if/how this impacts them. @praveksharma have you been in recent contact with them at all? Or perhaps experiment in the NCCoe -- @christianpaquin any insight from NCCoE?

Did you consider removing our hard-coded OIDs but still letting it be enabled at runtime if the relevant environment variable is set? (Without needing to regenerate from generate.yml and rebuild.)

@christianpaquin
Copy link

For example, the IETC PQC certificate hackathon group? If so, would be good to know if/how this impacts them. @praveksharma have you been in recent contact with them at all? Or perhaps experiment in the NCCoe -- @christianpaquin any insight from NCCoE?

The NCCoE follows closely the work of the IETF hackathon, so their feedback would be helpful. Can you give some guidance, @johngray-dev?

@praveksharma
Copy link
Member

Do we have any idea of who might be using this functionality? For example, the IETC PQC certificate hackathon group?

I haven't had recent contact regarding OID mappings but the relevant documentation in the IETF repo does not list any of the OIDs affected by this PR.

@baentsch
Copy link
Member Author

Did you consider removing our hard-coded OIDs but still letting it be enabled at runtime if the relevant environment variable is set? (Without needing to regenerate from generate.yml and rebuild.)

No. I have never received positive nor negative feedback regarding this feature (added originally in support of an IETF hackathon) so consider it safe to drop for unassigned OIDs. Again, if someone wants to test any of the KEMs without OIDs, they should have an idea about the OID -- it's otherwise impossible to test :) -- and this PR is also meant to create an incentive to contribute such ideas to the community.

Also, please note again that this is a completely voluntary effort on my part: I have to be(come) more efficient in how many features/options I keep supporting in my unpaid time. Things are even more acute as I have to now devote (waste) my time to working around (or using their processes to revert) problems created by LinuxFoundation: That org has easily cost (lost) me several hundred work hours this year....

But looking at the code again, it seems I created it such to enable the feature you're asking for @dstebila . It really would be nice if more people were contributing to the project..... I seem to forget more about the code than all other contributors combined added :-/

I haven't had recent contact regarding OID mappings but the relevant documentation in the IETF repo does not list any of the OIDs affected by this PR.

Thanks for that re-confirmation, @praveksharma . Supports my line of thinking.

@SWilson4
Copy link
Member

Did you consider removing our hard-coded OIDs but still letting it be enabled at runtime if the relevant environment variable is set? (Without needing to regenerate from generate.yml and rebuild.)

...

But looking at the code again, it seems I created it such to enable the feature you're asking for @dstebila . It really would be nice if more people were contributing to the project..... I seem to forget more about the code than all other contributors combined added :-/

I confirmed (locally) that the en/decode tests do indeed pass for the NULL-ified KEMs when run with an appropriate environment variable set.

test/oqs_test_endecode.c Outdated Show resolved Hide resolved
test/oqs_test_endecode.c Outdated Show resolved Hide resolved
ALGORITHMS.md Outdated Show resolved Hide resolved
@baentsch baentsch marked this pull request as draft September 23, 2024 10:56
@baentsch
Copy link
Member Author

baentsch commented Sep 23, 2024

Thanks for this catch @ghen2 -- as per the title of the PR this is not the intention given that generate.yml does contain IDs for x25519_mlkem768 . So need to debug what's going wrong here...

Now I have to correct myself: There is a code point but no OID for x25519_mlkem768. So the logic is correct. @ghen2 Can you please confirm what OID you are aware of for that algorithm? Same with your comment on the MLKEM512 hybrids: They do have code points, so should not be NULL. What leads you to think otherwise?

In other words, the PR is OK.

@ghen2
Copy link

ghen2 commented Sep 23, 2024

OIDs denoted with NULL are not maintained and may lead to errors in code execution. [...]

This comment gave the impression that those algorithms would no longer be supported.
But for OID's this only affects X.509 usage?

@baentsch
Copy link
Member Author

This comment gave the impression that those algorithms would no longer be supported.

Ah; no, this never was the intention. Hence there's a "Yes" for all those algs higher up in the list where the code points are listed.

But for OID's this only affects X.509 usage?

Exactly. No OID means no X.509 storage/retrieval. Rest of functionality unaffected. If you'd have a better way to formulate things, by all means please provide suggested wording.

@baentsch baentsch marked this pull request as ready for review September 23, 2024 15:40
@dstebila
Copy link
Member

I confirmed (locally) that the en/decode tests do indeed pass for the NULL-ified KEMs when run with an appropriate environment variable set.

Thanks, Spencer!

SWilson4 added a commit that referenced this pull request Sep 26, 2024
commit c4f6eac
Merge: f0fe7d1 0312c00
Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Date:   Mon Sep 23 17:05:42 2024 +0200

    Merge branch 'main' into mb-disabletempoids

    Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>

commit f0fe7d1
Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Date:   Mon Sep 23 11:19:08 2024 +0200

    Update test/oqs_test_endecode.c

    Co-authored-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>
    Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>

commit 3d5b68e
Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Date:   Mon Sep 23 11:18:58 2024 +0200

    Update test/oqs_test_endecode.c

    Co-authored-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>
    Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>

commit e94338d
Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Date:   Sun Sep 15 18:19:33 2024 +0200

    disable tests on no-OID KEMs

    Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>

commit a60f6b7
Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Date:   Sun Sep 15 17:31:57 2024 +0200

    disable tmp OID generation

    Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
baentsch and others added 4 commits October 2, 2024 15:06
Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Co-authored-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>
Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Co-authored-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>
Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
@baentsch baentsch force-pushed the mb-disabletempoids branch from c4f6eac to f958b29 Compare October 2, 2024 13:09
@baentsch
Copy link
Member Author

baentsch commented Oct 2, 2024

Rebase necessary because #524; I'm not entirely sure I did catch everything right, so could someone please (re-)review as and when CI passes?

@baentsch baentsch requested a review from dstebila October 2, 2024 13:15
@praveksharma praveksharma requested a review from SWilson4 October 2, 2024 19:19
@SWilson4
Copy link
Member

SWilson4 commented Oct 2, 2024

Rebase necessary because #524; I'm not entirely sure I did catch everything right, so could someone please (re-)review as and when CI passes?

Looks like the rebase went OK to me. Please do let me know regarding #522 (comment). After that's resolved it's ready to go from my perspective.

@baentsch
Copy link
Member Author

baentsch commented Oct 3, 2024

Rebase necessary because #524; I'm not entirely sure I did catch everything right, so could someone please (re-)review as and when CI passes?

Looks like the rebase went OK to me. Please do let me know regarding #522 (comment). After that's resolved it's ready to go from my perspective.

I'm not sure what I should be doing there: I agreed to that right after you asked. Or are you seeing something else? Maybe the "Pending" marker says this didn't get posted?

grafik

@SWilson4
Copy link
Member

SWilson4 commented Oct 3, 2024

I'm not sure what I should be doing there: I agreed to that right after you asked. Or are you seeing something else? Maybe the "Pending" marker says this didn't get posted?

grafik

"Pending" comments (created as part of a code review) are queued in a batch to be published when the "submit review" (or something similar) is pressed. Until then they're not public.

Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>
@baentsch
Copy link
Member Author

baentsch commented Oct 3, 2024

@ghen2 I just marked an open discussion resolved such as to move this PR forward and as per the discussion here taking your Thumbs up as agreement to close this issue. Please comment soon if you do not agree as we'll otherwise merge this tomorrow.

@ghen2
Copy link

ghen2 commented Oct 3, 2024

Thanks @baentsch, I couldn't mark it resolved myself, or I would have.

@baentsch baentsch merged commit 3cdbfed into main Oct 4, 2024
58 checks passed
@baentsch baentsch deleted the mb-disabletempoids branch October 4, 2024 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Mismatched hybrid default OIDs
6 participants