>
> Unfortunately, the mechanism to combine the two signatures can also
> fail, and its failure can end up totally undermining security.
> So it is not just pure backup.


Yes.


I don't agree with composite signatures being slightly more complicated.
> I think that composite signatures are much more complicated, and that I
> am underestimating the complexity.


Definitely agree.


On Thu, Oct 24, 2024 at 1:04 PM Ilari Liusvaara <ilariliusva...@welho.com>
wrote:

> On Thu, Oct 24, 2024 at 03:51:50PM +0000, Tim Hollebeek wrote:
> > My personal feelings on pure vs composite are actually the union of
> several
> > previous comments:
> >
> > 1. Like EKR, I actually have a weak preference for composite, all other
> >     things being equal. Failures happen and I like backup mechanisms
> >     when they are relatively affordable and can be afforded.
>
> Unfortunately, the mechanism to combine the two signatures can also
> fail, and its failure can end up totally undermining security.
> So it is not just pure backup.
>
>
> > 2. That said, I don't think composite should be forced on people. There
> are
> >     valid use cases where I would recommend NOT using it, and I'm
> hearing
> >     demand for both pure and composite. Like Scott said, I think we'll
> end
> >     up standardizing both.
>
> I would imagine NSA IA would not be happy about hybrid signatures. One
> of their main arguments against hybrids has been complexity, and hybrid
> signatures seem to bring that in spades, much more than hybrid KEM.
>
>
> > 3. Composite is slightly more complicated, though not as complicated as
> its
> >     detractors claim. However, since composite signatures are not
> standardized
> >     yet, I think they shouldn't be dragged into the 'pure' discussion.
> They can have
> >     their own draft and thread, like Diedre noted.
>
> I don't agree with composite signatures being slightly more complicated.
> I think that composite signatures are much more complicated, and that I
> am underestimating the complexity.
>
> For hybrid KEMs, I think slightly more complicated would be fair, as
> long as one keeps away from more complex stuff.
>
>
> > I strongly oppose the "we have some time" sentiment, though. There are
> > ecosystems that are slow to transition due to long approval timelines and
> > the desire to do rigorous analysis and discussion, and some of them are
> starting
> > to make transition plans now. The lack of IETF guidance on some of these
> topics
> > is starting to be a blocker now that NIST algorithm specifications are
> complete.
> >
> > In the absence of standards, they will just do their own thing, and
> we'll end up
> > with lots of unnecessary diversity and "interesting" design choices.
>
> I think that the only quantum-safe signatures that are currently
> ready-to-go are ML-DSA and SLH-DSA. These have already seen rigorous
> analysis.
>
> AFAIK, hybrid signatures have not seen rigorous analysis, and that
> should predate IETF guidance.
>
>
> And thinking about the decade+ WebPKI SHA-1 to SHA-2 transition, I do
> not think the main factor was long approval timelines, need to do
> rigorous analysis, or need for rigorous discussion.
>
>
>
>
> -Ilari
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-le...@ietf.org
>
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to