Re: [Curdle] call for adoption for draft-mu-curdle-ssh-xmss-00

Daniel Van Geest <> Fri, 22 November 2019 02:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D30AC120836 for <>; Thu, 21 Nov 2019 18:44:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rMftdEaWGz1o for <>; Thu, 21 Nov 2019 18:44:12 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F1ABC12012A for <>; Thu, 21 Nov 2019 18:44:11 -0800 (PST)
IronPort-SDR: CWPgYkSVv2lH9isGULoime6R5Ls+ZSUhrEoq+E2X481CBzyRTD9nOveCZVYnIhn8INKLBNPJV3 TR1WDSJ6mXzHLupqu96bK8/e4bZudMiK7+CdWhbxMvNZR6sO73IMvm6LgkFculekHOoYKNV5sl wMLExCEWT7y0lHWhlAdZCm/uiP9PpiRM53uTKHtVv89xWhpTycZ10e5nG40NC0dJOICXRGm6rQ P/bGoLXNdEjX2/00eybOurGAA0hb802s6dy+VVAguaaA5caboww34dfV8vwsd7lKLncC8Dmkt4 AxY=
Received: from unknown (HELO ([]) by with ESMTP; 22 Nov 2019 02:44:11 +0000
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1779.2; Thu, 21 Nov 2019 21:44:50 -0500
Received: from ([fe80::d802:5aec:db34:beba]) by ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1779.002; Thu, 21 Nov 2019 21:44:50 -0500
From: Daniel Van Geest <>
To: "Salz, Rich" <>, "Panos Kampanakis (pkampana)" <>, denis bider <>
CC: curdle <>, Daniel Migault <>
Thread-Topic: [External]Re: [Curdle] call for adoption for draft-mu-curdle-ssh-xmss-00
Thread-Index: AQHVoN7PWePopCOyl02nz+6D8T/G8g==
Date: Fri, 22 Nov 2019 02:44:50 +0000
Message-ID: <>
Accept-Language: en-CA, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_6F37DBC7172E44B4A7E8C7432BEA3225isaracom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Curdle] call for adoption for draft-mu-curdle-ssh-xmss-00
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Nov 2019 02:44:14 -0000

NIST will issue a special publication on stateful hash-based signatures before the rest of the PQ process completes.  Based on today’s date I’d hazard a guess that the publication will be next year.

XMSS/HSS is better suited for roots of trust and code signing (and possibly a few other limited cases, the NIST publication may give guidance here) where the environment where the signature is generated is tightly controlled.  I’d possibly support its use for limited end-entity certificates (the only semi-reasonable one I can think of is an EE cert with a private key in an HSM which is used to sign a TLS delegated credential of a different PQ or classical algorithm).

The general SSH use case does not fit any tightly-controlled scenario like above, so I oppose adoption of this draft.


On 2019-11-21, 4:39 PM, "Curdle on behalf of Salz, Rich" <<> on behalf of<>> wrote:

Speaking as an individual, I am opposed to adoption of this draft.

The IETF has pretty much decided to wait until the NIST post-quantum crypto process is finished.

Ø  SSH is rife with short, ad-hoc sessions in practical usage; as well as long sessions that can last many days.

Yes, and  for this reason, and because NIST explicit said that this will be part of the PQ process, adoption is premature. The NIST link mentioned ( explicitly talks about the problems and concerns of managing the state.