> > Unfortunately, the mechanism to combine the two signatures can also > fail, and its failure can end up totally undermining security. > So it is not just pure backup.
Yes. I don't agree with composite signatures being slightly more complicated. > I think that composite signatures are much more complicated, and that I > am underestimating the complexity. Definitely agree. On Thu, Oct 24, 2024 at 1:04 PM Ilari Liusvaara <ilariliusva...@welho.com> wrote: > On Thu, Oct 24, 2024 at 03:51:50PM +0000, Tim Hollebeek wrote: > > My personal feelings on pure vs composite are actually the union of > several > > previous comments: > > > > 1. Like EKR, I actually have a weak preference for composite, all other > > things being equal. Failures happen and I like backup mechanisms > > when they are relatively affordable and can be afforded. > > Unfortunately, the mechanism to combine the two signatures can also > fail, and its failure can end up totally undermining security. > So it is not just pure backup. > > > > 2. That said, I don't think composite should be forced on people. There > are > > valid use cases where I would recommend NOT using it, and I'm > hearing > > demand for both pure and composite. Like Scott said, I think we'll > end > > up standardizing both. > > I would imagine NSA IA would not be happy about hybrid signatures. One > of their main arguments against hybrids has been complexity, and hybrid > signatures seem to bring that in spades, much more than hybrid KEM. > > > > 3. Composite is slightly more complicated, though not as complicated as > its > > detractors claim. However, since composite signatures are not > standardized > > yet, I think they shouldn't be dragged into the 'pure' discussion. > They can have > > their own draft and thread, like Diedre noted. > > I don't agree with composite signatures being slightly more complicated. > I think that composite signatures are much more complicated, and that I > am underestimating the complexity. > > For hybrid KEMs, I think slightly more complicated would be fair, as > long as one keeps away from more complex stuff. > > > > I strongly oppose the "we have some time" sentiment, though. There are > > ecosystems that are slow to transition due to long approval timelines and > > the desire to do rigorous analysis and discussion, and some of them are > starting > > to make transition plans now. The lack of IETF guidance on some of these > topics > > is starting to be a blocker now that NIST algorithm specifications are > complete. > > > > In the absence of standards, they will just do their own thing, and > we'll end up > > with lots of unnecessary diversity and "interesting" design choices. > > I think that the only quantum-safe signatures that are currently > ready-to-go are ML-DSA and SLH-DSA. These have already seen rigorous > analysis. > > AFAIK, hybrid signatures have not seen rigorous analysis, and that > should predate IETF guidance. > > > And thinking about the decade+ WebPKI SHA-1 to SHA-2 transition, I do > not think the main factor was long approval timelines, need to do > rigorous analysis, or need for rigorous discussion. > > > > > -Ilari > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org