On Thu, Oct 24, 2024 at 03:51:50PM +0000, Tim Hollebeek wrote: > My personal feelings on pure vs composite are actually the union of several > previous comments: > > 1. Like EKR, I actually have a weak preference for composite, all other > things being equal. Failures happen and I like backup mechanisms > when they are relatively affordable and can be afforded.
Unfortunately, the mechanism to combine the two signatures can also fail, and its failure can end up totally undermining security. So it is not just pure backup. > 2. That said, I don't think composite should be forced on people. There are > valid use cases where I would recommend NOT using it, and I'm hearing > demand for both pure and composite. Like Scott said, I think we'll end > up standardizing both. I would imagine NSA IA would not be happy about hybrid signatures. One of their main arguments against hybrids has been complexity, and hybrid signatures seem to bring that in spades, much more than hybrid KEM. > 3. Composite is slightly more complicated, though not as complicated as its > detractors claim. However, since composite signatures are not > standardized > yet, I think they shouldn't be dragged into the 'pure' discussion. They > can have > their own draft and thread, like Diedre noted. I don't agree with composite signatures being slightly more complicated. I think that composite signatures are much more complicated, and that I am underestimating the complexity. For hybrid KEMs, I think slightly more complicated would be fair, as long as one keeps away from more complex stuff. > I strongly oppose the "we have some time" sentiment, though. There are > ecosystems that are slow to transition due to long approval timelines and > the desire to do rigorous analysis and discussion, and some of them are > starting > to make transition plans now. The lack of IETF guidance on some of these > topics > is starting to be a blocker now that NIST algorithm specifications are > complete. > > In the absence of standards, they will just do their own thing, and we'll end > up > with lots of unnecessary diversity and "interesting" design choices. I think that the only quantum-safe signatures that are currently ready-to-go are ML-DSA and SLH-DSA. These have already seen rigorous analysis. AFAIK, hybrid signatures have not seen rigorous analysis, and that should predate IETF guidance. And thinking about the decade+ WebPKI SHA-1 to SHA-2 transition, I do not think the main factor was long approval timelines, need to do rigorous analysis, or need for rigorous discussion. -Ilari _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
