Re: [Cfrg] draft-atkins-suit-cose-walnutdsa on the Independent Stream

Eric Rescorla <> Mon, 20 January 2020 15:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 86FAA120639 for <>; Mon, 20 Jan 2020 07:21:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 97uJzmN8NyQO for <>; Mon, 20 Jan 2020 07:21:16 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4572F12022E for <>; Mon, 20 Jan 2020 07:21:07 -0800 (PST)
Received: by with SMTP id y6so34276430lji.0 for <>; Mon, 20 Jan 2020 07:21:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JSzJu9KPI1TAAWXjvsEsm9n7KRnuEKpzaizztcBafFs=; b=WKyuEv3ovNcXp8Rpmpg2b14CmmnVXrgzvqfyaipIBQ7UZpHv+Mlbb368IStbkVcoJr +yUWK5nQnw6dOXYrEPKH0rDdXd78Wpz2BN/qwuJQqMrEVInhsDnAvyknOq1kgr9uUMQC Nzjpw/6BLpXs3SglEOGCyX9VgcQrMCTD5DI4fSAa6n7ZYxrnPICctpCz6cwk1cwcor+s VC0JsXFm/E0VjpUwW9JCR6Y34xPJM6/wFbQE27YzmPLyRW3ALEkX5wBjgzDIeqbcFN7e iE0CMMThdO2+WeDK9+iwe9znKmhSYTBHl5AOUKYeFAOAb+9Uo/oDzn6RdsXqYNJmRQOM NnJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JSzJu9KPI1TAAWXjvsEsm9n7KRnuEKpzaizztcBafFs=; b=HIhf1eG2JRBKJfr+w9ScF/q9lJtajKt1+MsgE/oVr47RF1e15qAJBj+ZpFy03yqp/k Yp7VarYGWlcL8NFKxCAPr/oLTbCP6fGGLpYSNnp1eib1zy/FlgV2BH1MxEbsYQXAXErw iuxEAJj98J6hvr0XGGGITDc3hn/N/Ca0WxYH0Bwom0pla3/yXGP9P7Dd+3TkXsby8Uhs pNGQa6RSkT4bJNGBeL30EsR2BIlGuODOaJGL8urH/WptZlCAS+IP5O8nNa+UVO8vedx1 PosJvSH97+kdnmsE1WsY4eTyb63gDxD4YwvBdwbwH06wv9qLh/rzK8SxN0n0L+0uI2q7 nInA==
X-Gm-Message-State: APjAAAVkH6cDw9igl2Xc8UibO7BAaGo4vYRtm5WIao7eIW8QUfdAG0Qf Lag5FDSoOwKrkoUoVkNZcQrXmDflGp3rNHXUK1wU2g==
X-Google-Smtp-Source: APXvYqzZq/xYgJtp+E1ow1WE6QYDQpqwJRKNlJwiTXldypkEMZRTforiNoYWyL0/POVfnr9/UNZy0jae0GxecSJHSh4=
X-Received: by 2002:a2e:b0e3:: with SMTP id h3mr13538014ljl.56.1579533665352; Mon, 20 Jan 2020 07:21:05 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Eric Rescorla <>
Date: Mon, 20 Jan 2020 07:20:28 -0800
Message-ID: <>
To: Stephen Farrell <>
Cc: Martin Thomson <>, cfrg <>, Nevil Brownlee <>
Content-Type: multipart/alternative; boundary="00000000000008cbbb059c93d798"
Archived-At: <>
Subject: Re: [Cfrg] draft-atkins-suit-cose-walnutdsa on the Independent Stream
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Jan 2020 15:21:23 -0000

On Mon, Jan 20, 2020 at 5:38 AM Stephen Farrell <>

> Hiya,
> On 20/01/2020 04:28, Martin Thomson wrote:
> > If this were widely-deployed not-good crypto, that might change the
> > situation, but the potential for harm in terms of misunderstanding
> > the status of the mechanism seems significant enough to argue for not
> > publishing even then.  In my view.  But, as ISE, that is Adrian's
> > choice and Adrian's choice alone.
> I agree that publishing this now would be detrimental. Once
> the NIST PQ stuff reaches a conclusion (in a yearish maybe?)
> then I'd expect we'll see a bunch of CFRG RFCs documenting
> (some of) the set of algs that that process has produced as
> "winners." I think it'd send a very confusing signal to
> implementers if other RFCs describing crypto that aims to
> be quantum resistant (or protocols using such) are emitted
> ahead of those.
> After those "winners" are known and sufficiently well
> documented, then I'd not object to Derek's draft being
> considered again, either by the ISE or CFRG, but having
> pretty much any "post quantum" RFC published now seems
> to me a bad plan, for any RFC stream.
> Two other notes - if the ISE does decide to publish this
> then I'd bet the ISE is likely to see more people doing
> the same with other algorithms that are no longer in the
> running in NISTland, which seems undesirable. (Were there
> 95 original entrants? I forget;-)

This seems like an important point and one that in general applies to
cryptographic algorithms. I would encourage the ISE to develop a policy
around "alternative" algorithm publications. I would note that the trend in
IETF (or at least in the HTTP-QUIC-TLS-verse) is away from requiring RFCs
in order to register code points, so at least that reason has less force.


Finally, if the ISE did
> publish something like this, I'd really hope there'd be
> content in the document that explains how this algorithm
> got on in NISTland - I didn't see such text in the draft
> (but only scanned it quickly) and am not even sure one
> could craft good text now, while the NIST process is
> still running.
> So overall: "Dear ISE - please say no or put this one
> on hold 'till the NIST thing is done."
> Cheers,
> S.
> _______________________________________________
> Cfrg mailing list