Draft Minutes SSTC Call - November 15, 2022

[Hal Lockhart <harold.w.lochhart@gmail.com>]

Proposed Minutes SSTC Conference Call

Date: Tuesday 15 December 2022, at 12 noon EST

Conference Dial-in Number: (605) 475-4700.
Participant Access Code: 176720#


1. Roll Call & Agenda Review.

Attendees

Internet2	Scott Cantor
M.I.T.	Thomas Hardjono
Individual	Hal Lockhart

Quorum was achieved.

2. Need a volunteer to take minutes.

Hal took minutes

3. Discussion of future work items

This was the first (and presumably only) quorate meeting of the SSTC in 2022. At the current time the TC has no active work items, 
nor do we expect new work items to be proposed in the near future. In spite of this, we propose to keep the TC open for business for 
the present time. The reason for this is that there are two different sets of external events which may force technical changes to 
current SAML implementations which the TC is in the best position to design and document. Both sets of changes are currently 
uncertain both in the details of the changes required and the timeframe in which they will be required. In spite of this uncertainty,
in either case, it is likely that there will be a relatively short time period (e.g. one year) to design, document and approve the 
changes, get them into the hands of user organizations and for them to implement and deploy updated versions.

The two sets of challenging changes are 1) changes to existing web browsers which will break current SAML-based federations and 2) the 
development of quantum computers powerful enough to break the most widely used types of Public Key encryption, which will force changes 
to virtually all  software which uses these algorithms. The following is a summary overview about what is known about these issues.

The SSTC has been aware for some time that some web browser developers have advocated for changing or eliminating current features which enable 
a browser to act as a client in a SAML Federation. The objective is to eliminate some security weaknesses. The politics of this is that OpenID 
identity federations are more numerous, but usually simpler in architecture, configuration and features than SAML Federsations. For example, 
OpenID federations usually have a single Idp, whereas many SAML federations include multiple Idp's. For that reason, browser developers 
tend to think only of the features necessary to support OpenID. 

One change that would make life difficult for SAML would be to require an additional software component running in the browser to perform the 
federation protocol handshake, whereas today it can be done using only the redirects built into HTML and the browser code. In addition to 
developing the necessary new functionality, it would be necessary to determine how this software component would be implemented and 
distributed. Further, this work cannot even begin today, since we have no idea what the interface signature will look like or if this 
change will even happen.

Currently a number of research laboratories are working to build a practical quantum computer. A quantum computer is constructed using 
quantum bits, called Qbits for short, which embody the kinds of quantum properties, like entanglement, decoherence and superposition, which 
quantum particles have. Because of these special properties, quantum computers are expected to be able to solve problems that would currently 
take an impractical amount of time to solve on classical computers. In 1999, Peter Shor published an algorithm which can factor or take 
discrete logarithms of large integers in polynomial time (as a function of key length). This would break the RSA, Diffie-Hellman and 
Diffie-Hellman over elliptic curves algorithms. These are the most widely used algorithms for key distribution and authentication on the Internet 
today.

The most obvious way to strengthen these existing algorithms would be to increase key sizes, but this is unattractive for several reasons.  
Basically, once a practical quantum computer has been built, the marginal cost of routine computations using larger keys will be greater than 
the marginal cost to build a quantum computer powerful enough to break the larger keys. It will also be difficult to determine at any given 
time how long the keys would need to be. Therefore, the preferred approach would be to use post-quantum algorithms, which use a different kind 
of one way calculation, which is believed to be secure against quantum attacks, but can be executed on a classical computer. A number of such 
algorithms have been invented. Some have been around for decades. They are not currently being used in production because a) they are even 
more computationally expensive than current Public Key algorithms and b) they have not been vetted and standardized by NIST. (NIST announced 
a multi-year program to do that in 2016. The work continues, but a number of finalists have been named.)

One important concept is the idea of combining classical and post-quantum algorithms in such a way that an attacker would have to defeat both 
in order to gain access. This would promote algorithm agility by allowing the post-quantum algorithm to be nulled out initially, thus incurring 
only the computational cost of the classical algorithm. Then when quantum computers of sufficiant power exist, the post-quantum algorithm could 
be turned on. Perhaps ultimately the classical algorithm could be nulled out. This makes sense, but it makes it more difficult to know what the 
interface to such algorithms will look like.

The date when post-quantum algorithms will be required is still unknown. Less than a decade ago, expert opinion was that it would take more than 
10 years and might prove to be impossible. Now the Cloud Security Alliance predicts it will happen in less than 7.5 years from today. IBM has 
published a product roadmap which includes a machine with 4000+ Qbits available by 2025.

Even if the post-quantum work in SAML is not needed, it is likely that the browser-required changes will be needed, so we need to keep the TC going 
regardless and continue to track and plan for both types of changes.

4. Adjourn