On Sun, Nov 03, 2024 at 05:37:34AM +0530, tirumal reddy wrote: > > The draft https://datatracker.ietf.org/doc/draft-tls-reddy-composite-mldsa/ > specifies how ML-DSA in combination with traditional algorithms can be used > for authentication in TLS 1.3. >
Important details, such as how signature are encoded seems to be missing. And I think this is very premature. As far as I can tell, there are major unaddressed issues with hybrid signatures. Those issues need to be settled first before adding any codepoints. Having multiple variants of the same hybrid signature is not acceptable due to severe security risks from overloading crypto library authors. Furthermore, the encodings used by draft-ietf-lamps-pq-composite-sigs add additional security risks. Modern crypto design uses byte string I/O for safety. Currently, only bare ML-DSA and SLH-DSA are usable for post-quantum signature authentication. Seems that the only question that does not have an obvious answer is the context to use. -Ilari _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
