On Sun, 3 Nov 2024 at 14:12, Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> On Sun, Nov 03, 2024 at 05:37:34AM +0530, tirumal reddy wrote: > > > > The draft > https://datatracker.ietf.org/doc/draft-tls-reddy-composite-mldsa/ > > specifies how ML-DSA in combination with traditional algorithms can be > used > > for authentication in TLS 1.3. > > > > Important details, such as how signature are encoded seems to be > missing. > > > And I think this is very premature. As far as I can tell, there are > major unaddressed issues with hybrid signatures. Those issues need to > be settled first before adding any codepoints. > > Having multiple variants of the same hybrid signature is not acceptable > due to severe security risks from overloading crypto library authors. > > Furthermore, the encodings used by draft-ietf-lamps-pq-composite-sigs > add additional security risks. Modern crypto design uses byte string > I/O for safety. > This issue is being discussed in the LAMPS WG; the composite signature API should avoid using protocol-specific encoding. -Tiru > > Currently, only bare ML-DSA and SLH-DSA are usable for post-quantum > signature authentication. Seems that the only question that does not > have an obvious answer is the context to use. > > > > > -Ilari > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
