-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove unmanaged KEM OIDs #522
Conversation
Do we have any idea of who might be using this functionality? For example, the IETC PQC certificate hackathon group? If so, would be good to know if/how this impacts them. @praveksharma have you been in recent contact with them at all? Or perhaps experiment in the NCCoe -- @christianpaquin any insight from NCCoE? Did you consider removing our hard-coded OIDs but still letting it be enabled at runtime if the relevant environment variable is set? (Without needing to regenerate from generate.yml and rebuild.) |
The NCCoE follows closely the work of the IETF hackathon, so their feedback would be helpful. Can you give some guidance, @johngray-dev? |
I haven't had recent contact regarding OID mappings but the relevant documentation in the IETF repo does not list any of the OIDs affected by this PR. |
No. I have never received positive nor negative feedback regarding this feature (added originally in support of an IETF hackathon) so consider it safe to drop for unassigned OIDs. Again, if someone wants to test any of the KEMs without OIDs, they should have an idea about the OID -- it's otherwise impossible to test :) -- and this PR is also meant to create an incentive to contribute such ideas to the community. Also, please note again that this is a completely voluntary effort on my part: I have to be(come) more efficient in how many features/options I keep supporting in my unpaid time. Things are even more acute as I have to now devote (waste) my time to working around (or using their processes to revert) problems created by LinuxFoundation: That org has easily cost (lost) me several hundred work hours this year.... But looking at the code again, it seems I created it such to enable the feature you're asking for @dstebila . It really would be nice if more people were contributing to the project..... I seem to forget more about the code than all other contributors combined added :-/
Thanks for that re-confirmation, @praveksharma . Supports my line of thinking. |
I confirmed (locally) that the en/decode tests do indeed pass for the NULL-ified KEMs when run with an appropriate environment variable set. |
Now I have to correct myself: There is a code point but no OID for x25519_mlkem768. So the logic is correct. @ghen2 Can you please confirm what OID you are aware of for that algorithm? Same with your comment on the MLKEM512 hybrids: They do have code points, so should not be NULL. What leads you to think otherwise? In other words, the PR is OK. |
This comment gave the impression that those algorithms would no longer be supported. |
Ah; no, this never was the intention. Hence there's a "Yes" for all those algs higher up in the list where the code points are listed.
Exactly. No OID means no X.509 storage/retrieval. Rest of functionality unaffected. If you'd have a better way to formulate things, by all means please provide suggested wording. |
Thanks, Spencer! |
commit c4f6eac Merge: f0fe7d1 0312c00 Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon Sep 23 17:05:42 2024 +0200 Merge branch 'main' into mb-disabletempoids Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> commit f0fe7d1 Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon Sep 23 11:19:08 2024 +0200 Update test/oqs_test_endecode.c Co-authored-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> commit 3d5b68e Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon Sep 23 11:18:58 2024 +0200 Update test/oqs_test_endecode.c Co-authored-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> commit e94338d Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Sun Sep 15 18:19:33 2024 +0200 disable tests on no-OID KEMs Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> commit a60f6b7 Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Sun Sep 15 17:31:57 2024 +0200 disable tmp OID generation Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Co-authored-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Co-authored-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
c4f6eac
to
f958b29
Compare
Rebase necessary because #524; I'm not entirely sure I did catch everything right, so could someone please (re-)review as and when CI passes? |
Looks like the rebase went OK to me. Please do let me know regarding #522 (comment). After that's resolved it's ready to go from my perspective. |
I'm not sure what I should be doing there: I agreed to that right after you asked. Or are you seeing something else? Maybe the "Pending" marker says this didn't get posted? |
"Pending" comments (created as part of a code review) are queued in a batch to be published when the "submit review" (or something similar) is pressed. Until then they're not public. |
Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>
@ghen2 I just marked an open discussion resolved such as to move this PR forward and as per the discussion here taking your Thumbs up as agreement to close this issue. Please comment soon if you do not agree as we'll otherwise merge this tomorrow. |
Thanks @baentsch, I couldn't mark it resolved myself, or I would have. |
Fixes #520