IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: draft-ounsworth-pq-composite-sigs-11

Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 08 February 2024 18:58 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92FCFC14F71F for <spasm@ietfa.amsl.com>; Thu, 8 Feb 2024 10:58:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Zr3Zk4PDrJi for <spasm@ietfa.amsl.com>; Thu, 8 Feb 2024 10:58:19 -0800 (PST)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BBE2C14F71C for <spasm@ietf.org>; Thu, 8 Feb 2024 10:58:18 -0800 (PST)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 418GQqDT004018; Thu, 8 Feb 2024 12:58:14 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=mail1; bh=EI8f+qt2pSWfOi95moKP5fT0 dLJ2lUm1ovQEUYML0HM=; b=d7DjRwsbFnfhMxAgGOf2fX2Eqiu/63RdGl95N8tM QIs35nmmsfq9MirHVBOeXRuHoyhM/qDcgPnVrBMtfbUCI+/a9g9bvMZWbi+5+TJf qDgYNNKHcUrNPbUSiSXVHThxNdY1AVdG48NsK3lCZXi7dLNt9i/q+qAOzRzPmTNS jvfTdL9Oejpt5bwmXPSlsjaFzA1d8SCK3lpcFg/jEZjMC0QASGc/v9sPMU5tIeDG TBhRL9Q8LfiggVCS+koGowaHymRubB0fY4zaGsR1BtuBJaJNQm68X+A6Cw2N3d1X 2FMrXoJj8ePH5bug57w1kaPzp/Y59r91I4PuDOMcYCx4dw==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2168.outbound.protection.outlook.com [104.47.55.168]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3w1hbr3vwg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 08 Feb 2024 12:58:14 -0600 (CST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c8g4jUw03AEmyAfoDKa0Qkrnb8VAd/guDCKr4VL/o6GYF/A3gt2dWiD81b215yKsUtgyqHSBlFLtvfcSm5XmbfRLUt3ixGZL34AiR2oXY0umOkRJgNbfbN07oMJgyrd8DTjF3Q+Xj4cFi0PrpfMYhWYg5smPBGGEz2yUesIag3jGzYxu++AvrdXw4nZNJgh/LxEa2lbHAgZDwUZDOWQu20Ul56L3MruvMVeiwgmYN0AaCDOxiw8wUyMJh7ylzNfepgXpjMe/B/5iob2NZoSqyj32dl7m2IaZyrgekucAM5KS7/INB/kkwXDrnMRq/X+PdoxbmuTDTgiJt6Q4HQ7hQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EI8f+qt2pSWfOi95moKP5fT0dLJ2lUm1ovQEUYML0HM=; b=e90dLW8OfV9t44QkfagJ5rcyiptZOmvpLlw6YwoOx+Zk28An7kRbApn9pq32ym0mXsnulhPVTAjZUxg5YH7kPM/W3F7HQ/P7V1NE2TcrbsPrrCSv2tGglv80BJrnqLioZ+wfqIgsBBldRP6DGG3K4um2yOPQfVsWLTNnFDejWCI0NmMbLVvAhn7yBLBjwTW79vh9H2iWbcr2A3sjZx4Pms4JZHDQZ+dA7jgW4z+MS6wrmCv+NU5eUbJ+C+FYNJg202xj7qAFNmHjPUC6NYlVpcEastSVnUC3c/RhgALdpTlb+IU/osPTYzkEXk9BpbUFa1l+WjZFb6P58UHBrZTGEQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by DS7PR11MB7907.namprd11.prod.outlook.com (2603:10b6:8:db::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.38; Thu, 8 Feb 2024 18:58:11 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::d401:ba56:87f2:7eb8]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::d401:ba56:87f2:7eb8%6]) with mapi id 15.20.7270.024; Thu, 8 Feb 2024 18:58:11 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Kris Kwiatkowski <kris@amongbytes.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [EXTERNAL] Re: [lamps] draft-ounsworth-pq-composite-sigs-11
Thread-Index: AQHaWhSXVHL9GeRflkufYbl0qndSgbEAkjgQgAAqwoCAAANnUIAABYkAgAABC1CAAARZAIAAADYA
Date: Thu, 08 Feb 2024 18:58:10 +0000
Message-ID: <CH0PR11MB573987DC87E079F4DB76F4DC9F442@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <1751D067-A337-4611-A638-02DB5F90394A@amongbytes.com> <d3abe6ed-4150-43fb-b6f4-d3402ae41599@cs.tcd.ie> <CH0PR11MB5739F82A580E1B892DF90DF69F442@CH0PR11MB5739.namprd11.prod.outlook.com> <08a4e633-6972-4a7d-a295-5ffea82df6dc@cs.tcd.ie> <CH0PR11MB5739A9F75E71C5B99D980D479F442@CH0PR11MB5739.namprd11.prod.outlook.com> <4f3c3b15-6635-4afd-8df0-c5c3827e6f69@cs.tcd.ie> <CH0PR11MB5739CD0DDEADCAD5AA72DC619F442@CH0PR11MB5739.namprd11.prod.outlook.com> <9dcfd072-beb6-4b1b-b5e3-768132e4cc5f@cs.tcd.ie>
In-Reply-To: <9dcfd072-beb6-4b1b-b5e3-768132e4cc5f@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|DS7PR11MB7907:EE_
x-ms-office365-filtering-correlation-id: 80d82e75-70fa-448b-d120-08dc28d7e54b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oy6vAZsfN2Ze3hd0wGjkQOb/8O7SkA9LnmiUWRF0snFGzROxlWZYO3shZanKFYoLYYHvCttcxfl9FaT6C0CDHkx2NnCAeIVaosjuoo2YsRpqDfvdibbYc5pnjok0b1HQkL9FdwcqC+stgdYFcxh5SppRhmrJ7SOJoTmmJTXU5IVg6kyQzg64S3HEWvdK73MjEGNt4n6GmvFRWH86Ziz74Zb4TR4NhNsdDrlfDDaZ05SdHTu3X0E2tiwObgS5VjMmWQWACsWTcMR3LOStl/KhRFUWw/9RxkK9XiClLGrw/EbHtyaVH6CSb1BQHfvj9N0EWLm6j0wkhRgF/Ta25TPxgyRxl0Jqhom6GN3l40qthUo/iKDYTQvDEP34SYoTrgfbMTAQug+ki/3PH+TLost4vCmqIool55pcfkw+68FZjhinU17kCU41aiKJkJmal9LQrWrFjbsPpb8PxV7unc/6eZzGukL2+tN1yX0LKmSEzbBNUxa36laZ93RhFxFLX9xDDJKUyE3doAaTk22mR2x+hFwRxcYUcgb/Vh1qbxdTJTxLaUIMN3majHKI3ueHe6KGhy+Fw/YvvsPcdWXJ6L1fO2C2Cx2euOsz24jf2Fnu8ic=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(136003)(39850400004)(346002)(376002)(366004)(230922051799003)(230273577357003)(186009)(451199024)(1800799012)(64100799003)(38100700002)(83380400001)(66946007)(122000001)(8676002)(99936003)(8936002)(66446008)(110136005)(64756008)(66476007)(66556008)(316002)(296002)(76116006)(52536014)(5660300002)(2906002)(9686003)(7696005)(26005)(478600001)(966005)(71200400001)(53546011)(6506007)(38070700009)(86362001)(33656002)(55016003)(41300700001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: SjzAlCk2SLY7q7EnFtqSlNrhbUw2Nf3aKLzLOGXkdkXh3AvahOUd0xmaPzEF5jYMwPms0YiVXBk3Rlc/73BoK7oJ06nVXg+BVur2cPYboQqFfMqc4qQr7A/C1+2dxD9Ms8KcQkBET/HTEEAzyq7Yvk/EQ8lOAGSjaF7e5Wwyc5hSiXLP88xStPr999ry1KDqOMHYzXA5sW/EXe3wz15s2KTx34z3tqxJkEtd8B9vi2NhPd7hYw3WIepG3MHJW9DuJQVmyxfmLrGy2fK6rFFGR/al95JWb7sAIe5M/I9o81321n9j/YjPriEIVvFQGrja9w60TKn+MrmOmeTnM7Ivb2pwITNmOK9LTKLYo7BgDrGA55RQRnVZYJuR4nS3gjwEQaQdH7lZSe/KkURDp4tAlnjBS9VBzrvek5yl+yaY+1zi43zK7e7cwoihHOTJdvKerpM/wIMDk5mRrhg+JZ/1c5VQYNhHlZXVODAKz8lKWOROMU4TgOdzECSgTsB61igPG0BxtS0r2enY+iv383h/N/ttFYhXryAD09UPJFBntV10OTwtyPosLYskGhj1J2NoNGt1TLOGKVmMzNM5zRC/+R48ZdSqmuhr/xZ2M2LfNItJ9nNE5uZiVHVFaZVWsPEU3569k3P+rqp5dEnM27x5hjnoNtOG+O2gKdsQ2oVLvE5RRF43s9KQzRvrEe6q4AvKRBZji4pbX3MldpX7lGBTFfetpPuqLU3BWw2rQOPdnKR8um1mREmaFxbA4Eh5tGSP9+PdmBeiYMJYIez7VJgKmi7HVatSeOZDGgMk9Md3Qkq/ejFGEKfRWZ/AAZQCWc/qhown/VSoOZW30PMLx3IBbBpAVn3BZhk62IsbjDbVxq2TPa7tvs9KRFBo5DMF26C6MP2+lNk8TDJvn7P9pLNO6OCLw2iua0XajOLRO6lIYXxaAosheLTAXgdtmNDa8lVGzXJDlkVsVNIxJi5QqWmm5wGDGwATQ/tTTNR8/lT/TztPzoWPA/mLgz4QGzJQ+HpmWWOTEuazB+14k75mFImV9I2A8lh0AVnnvANLMdX3+zGH+g0XRkViOYy6TjjR3uzKdXG7+hmF3tgOfOEYgbNShwniWjRvi6I4w8Vd4kQLZ30X/9+3WxL/5Ltnjho1EelcZtlW7DPwGUSwIgcBeBUviTjDawFOhAXFZ4XOBXa7FFq+tN+B4APTLo8wFRbfzAjhDIx3vukDP/XU6Hh05g3imJlYv7tvqE/JRZg4yDzlnTRgoHYUC2du9nlLhzI4yzrygJ/v0Z6hQJErfrpyqhUCJpRpHIIFn042ZZbv5X5QFjyuaKmW0XNzeMkQ/1XyfgXiIQEmwsCyAByXHpQ5xlhaXcATIKCrSQXVWJtDgNY+FRpAyPpoIj3k4wwXGm4mFco5nesrg3uyvly3b5aitAiM1xkF47cLsUBsnG+5skCaYLewhEa5DHXWhfXePaICePR8QVMMkWNewHrXRWMqlQKDlvhASYy3CmXnerka4m+k9Ryt8r8wEhtg7204uUUU8pRyC0Et63uHC9OOof2rUnhMmichSg6LmajaV/WmpgLBVM8qQAM3gRaf/EHKzbG+sPqZ
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0456_01DA5A8E.77622EB0"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 80d82e75-70fa-448b-d120-08dc28d7e54b
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Feb 2024 18:58:10.9595 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TIYwsvO0GXpE1uoQ3W8BRUPZHH4zbdcWfFWirg1rCQu+ShVjWBdhhjLxr4hEaZhvoVE4Ku+MFTJfq+hb/CyZ6CzOBy5X5cUKdnDQ3O4joYk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR11MB7907
X-Proofpoint-GUID: uit_2UmbqDW80ERxSK8MYyFEedLrT_0A
X-Proofpoint-ORIG-GUID: uit_2UmbqDW80ERxSK8MYyFEedLrT_0A
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-08_08,2024-02-08_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 spamscore=0 phishscore=0 lowpriorityscore=0 mlxlogscore=999 clxscore=1015 impostorscore=0 priorityscore=1501 adultscore=0 suspectscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2401310000 definitions=main-2402080099
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/6UE2bWHHkbw27ftESvytH8SHf2A>
Subject: Re: [lamps] [EXTERNAL] Re: draft-ounsworth-pq-composite-sigs-11
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 18:58:24 -0000

> Thanks. Can you point me a which of the 72 pages address the issue at hand? (I may discover it myself but quicker to point at it if you already know where the answer to my question can be found.)

As I quoted in my proposed I-D text change below, the best direct quote is:

"Therefore, quantum computer-resistant methods should
not be used alone - at least in a transitional period - but
only in hybrid mode, i.e. in combination with a classical
method. For this purpose, protocols must be modified
or supplemented accordingly. In addition, public key
infrastructures, for example, must also be adapted"

You will also want to look at "Section 3.4 X.509 certificates" which specifically references this I-D.


> That's about QKD. How is that relevant?

Because it includes this quote, which I included in my proposed I-D text change below.

“In light of the urgent need to stop relying only on quantum-vulnerable public-key cryptography for key establishment, the clear priority should therefore be the migration to post-quantum cryptography in hybrid solutions”



> Because so far it's merely an assertion of need via an argument from authority.

Yes. Is that not what you asked for?
The BSI document spells out why this is wanted for X.509 certificates. 
What more is missing for this to be an acceptable argument to you?
Do I need to spell out that there exist things in the world which use X.509?

---
Mike Ounsworth

-----Original Message-----
From: Stephen Farrell <stephen.farrell@cs.tcd.ie> 
Sent: Thursday, February 8, 2024 12:51 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Kris Kwiatkowski <kris@amongbytes.com>; spasm@ietf.org
Subject: Re: [EXTERNAL] Re: [lamps] draft-ounsworth-pq-composite-sigs-11


Hiya,

On 08/02/2024 18:42, Mike Ounsworth wrote:
>> I'm not currently being a detractor. I'm asking for someone to document a case where these hybrid signing algorithms are needed and needed now. If that's not doable then I find that fairly telling.
> 
> The BSI has documented it. Here is their document:
> https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Broch
> ure/quantum-safe-cryptography.pdf

Thanks. Can you point me a which of the 72 pages address the issue at hand? (I may discover it myself but quicker to point at it if you already know where the answer to my question can be found.)

> The French Cybersecurity Agency (ANSSI), Federal Office for 
> Information Security (BSI), Netherlands National Communications Security Agency (NLNCSA), and Swedish National Communications Security Authority, Swedish Armed Forces have documented it. Here is their document:
> https://cyber.gouv.fr/sites/default/files/document/Quantum_Key_Distrib
> ution_Position_Paper.pdf

That's about QKD. How is that relevant?

> I am unclear why you don't accept this as proof-of-need.

Because so far it's merely an assertion of need via an argument from authority.

> 
> I am also unclear why proof-of-need is a requirement for RFC publication. 

I never mentioned RFC publication.

> Are you trying to tell me that the IETF has never once published an RFC that didn't end up getting used in production? There is a government recommendation document specifically citing this I-D as an example of "good". Surely that is enough by itself to meet the IETF's bar for usefulness.
> 
> I have seen NSA documents (I'm thinking of draft-ietf-lamps-cert-binding-for-multi-auth) be adopted with a justification that boils down to "DoD wants this for internal use". That is less justification than we have for composite sigs, yet somehow that was acceptable, and this is not?
> 

I don't recall that document.

If your argument in the end turns out to be "we want to do this because someone wants it, but we can't explain why it's needed (and needed now)"
then that's an outcome of sorts for this discussion I guess. But not a particularly convincing one, I'm sure you'd agree.

S.


> ---
> Mike Ounsworth
> 
> -----Original Message-----
> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
> Sent: Thursday, February 8, 2024 12:32 PM
> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Kris Kwiatkowski 
> <kris@amongbytes.com>; spasm@ietf.org
> Subject: Re: [EXTERNAL] Re: [lamps] 
> draft-ounsworth-pq-composite-sigs-11
> 
> 
> Hiya,
> 
> On 08/02/2024 18:26, Mike Ounsworth wrote:
>> Hi Stephen,
>>
>>> Other agencies have recommended against hybrid KEMs by times, and we happily ignore that.
>>
>> I fully disagree. We are not ignoring that at all.
>> LAMPS has draft-ietf-lamps-kyber which instructs how to use Kyber by itself in CMS, which fulfills the requirements from people who do not want hybrids. And similarly draft-ietf-lamps-dilithium-certificates for pure Dilithium signatures.
>> My understanding is that the IETF does not play politics; if multiple governments have conflicting technical requirements, then we should produce separate mechanism to satisfy each. It is clear to me that there exists a need for this motivated by BSI and ANSSI recommendations. Full stop.
>>
>>
>> I have written some text into the composite signatures draft that I think addresses this. It is currently on a github pull request:
>>
>> https://github.com/EntrustCorporation/draft-ounsworth-composite-sigs/
>> p
>> ull/131
>>
>> It adds the following text to the Introduction:
>>
>> + In particular, certain jurisdictions are recommending or requiring that PQC lattice schemes only be used within in a PQ/T hybrid. As an example, we point to [BSI2021] which includes the following recommendation:
>>
>> + "Therefore, quantum computer-resistant methods should not be used 
>> + alone - at least in a transitional period - but only in hybrid 
>> + mode, i.e. in combination with a classical method. For this 
>> + purpose, protocols must be modified or supplemented accordingly. In 
>> + addition, public key infrastructures, for example, must also be adapted"
>>
>> + In addition, [BSI2021] specifically references this specification as a concrete example of hybrid X.509 certificates.
>>
>> + A more recent example is [ANSSI2024], a document co-authored by 
>> + French Cybersecurity Agency (ANSSI), Federal Office for Information 
>> + Security (BSI), Netherlands National Communications Security Agency (NLNCSA), and Swedish National Communications Security Authority, Swedish Armed Forces which makes the following statement:
>>
>> + “In light of the urgent need to stop relying only on quantum-vulnerable public-key cryptography for key establishment, the clear priority should therefore be the migration to post-quantum cryptography in hybrid solutions”
>>
>> + This specification represents the straightforward implementation of the hybrid solutions called for by European cyber security agencies.
>>
> 
> That's about the closest I've ever seen to a pure argument from authority. I don't think we ought base IETF work on such a well known fallacy.
> 
>>
>> To flip the burden of proof back onto the detractors:
> 
> I'm not currently being a detractor. I'm asking for someone to document a case where these hybrid signing algorithms are needed and needed now. If that's not doable then I find that fairly telling.
> 
> S.
> 
> 
>> if you think that this work should not proceed, then please justify why the IETF does not need to produce a mechanism to fulfil this recommendation from multiple governments. Or perhaps the IETF already has a mechanism that satisfies this requirement, but if so, I am not aware of one -- for example all of the Multi-Cert mechanisms that I am aware of operate in an OR mode, and are therefore not "hybrids" as defined in the above-referenced BSI recommendations document.
>>
>> ---
>> Mike Ounsworth
>>
>> -----Original Message-----
>> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
>> Sent: Thursday, February 8, 2024 12:00 PM
>> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Kris Kwiatkowski 
>> <kris@amongbytes.com>; spasm@ietf.org
>> Subject: Re: [EXTERNAL] Re: [lamps]
>> draft-ounsworth-pq-composite-sigs-11
>>
>>
>> Hiya,
>>
>> On 08/02/2024 15:31, Mike Ounsworth wrote:
>>> Not to be flippant, but I think the answer is "everywhere".
>>
>> You may be unsurprised to hear that I disagree.
>>
>>> The current recommendations (at least from some European 
>>> governments) are to not use lattice schemes in isolation, but only 
>>> in hybrids. So anywhere that uses long-term keys (ex.: certs for 
>>> CAs, S/MIME, Code Signing, Document Signing, any-other-thing 
>>> Signing, etc) and wants to migrate to Dilithium *should* migrate to 
>>> a dilithium+ecc or
>>> dilithium+rsa composite.
>>>
>>> Would it address your comment if we add text to the Intro to that 
>>> effect that references the various government calls for hybrids?
>>
>> Not for me, no. Other agencies have recommended against hybrid KEMs by times, and we happily ignore that. We should also be doing the engineering work to determine what's needed where and when. So I think we need a demonstration that these kinds of hybrid signing algs are needed, and needed now. I've not seen that myself, especially in a context where pq signing algs seem to be evolving a lot.
>>
>> S.
>>
>>>
>>> --- Mike Ounsworth
>>>
>>> -----Original Message----- From: Spasm <spasm-bounces@ietf.org> On 
>>> Behalf Of Stephen Farrell Sent: Wednesday, February 7, 2024 4:25 PM
>>> To: Kris Kwiatkowski <kris@amongbytes.com>; spasm@ietf.org Subject:
>>> [EXTERNAL] Re: [lamps] draft-ounsworth-pq-composite-sigs-11
>>>
>>>
>>> Hiya,
>>>
>>> On 07/02/2024 22:07, Kris Kwiatkowski wrote:
>>>> * Is there a document describing real-world use cases for this draft?
>>>> I’m aware of draft-vaira-pquip-pqc-use-cases, but really I’m 
>>>> looking for use cases where draft-ounsworth-pq-composite-sigs will 
>>>> be clearly very useful/necessary to have.
>>>
>>> I'd also be v. interested in that, and didn't find such text when I 
>>> looked a few months back. (And I think such text is very much
>>> needed.)
>>>
>>> Cheers, S.

v2.23.0 | Report a Bug | By Email