IETF Logo Mail Archive

[lamps] Re: [EXT] Re: WG Last Call: draft-ietf-lamps-pq-composite-sigs-08 (Ends 2025-10-06)

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 06 October 2025 20:59 UTC

Return-Path: <prvs=437473c62b=uri@ll.mit.edu>
X-Original-To: spasm@mail2.ietf.org
Delivered-To: spasm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 49F4D6E36143 for <spasm@mail2.ietf.org>; Mon, 6 Oct 2025 13:59:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.697
X-Spam-Level:
X-Spam-Status: No, score=-2.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ll.mit.edu
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8SW5kO4awl6q for <spasm@mail2.ietf.org>; Mon, 6 Oct 2025 13:59:33 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) by mail2.ietf.org (Postfix) with ESMTP id 6B4C76E3608C for <spasm@ietf.org>; Mon, 6 Oct 2025 13:59:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ll.mit.edu; h=cc : content-type : date : from : in-reply-to : message-id : mime-version : references : subject : to; s=dkim1; bh=cYjDkyMhWogW1ZzmQXWd7oJy+ETbdr0ApdXvA0SQci8=; b=q6h3s7i6RU708p6PqDFIEsGdE/CYPtbyoCYDJ7P/aHb7VeeliVbhioEoItgsS9XiJb6W z0/W0/8OR/f/ar1ez48EiBRl7m7XUb9ZH6V0MnU3kNAdu56kC33Zx5glT1k7rOHvDm/c OlD0b7KV7DYvcs5L5++0/qVVXWGP76sQGO+mtPWurhaOXUuznDOb3ouMVIKkNIkDCRFE kQ3grnaH4bkL8QVflRT4fvdetpXLK8Gn3vkOjtkVIQuzXrwDHzcmLa5BpdLuA71draM8 Ubm8QD5tNhYhfzC7xIxv5Tlcze8m9EEl/bZgFamuQplMJGFnwJwXmpkbrdoTRoqPXFZc CQ==
Received: from LLEX2019-01.mitll.ad.local (llex2019-01.llan.ll.mit.edu [172.25.4.97]) by MX3.LL.MIT.EDU (8.18.1.2/8.18.1.2) with ESMTPS id 596KxI3j211843 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 6 Oct 2025 16:59:21 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=dWVRUglnfUG6l64d6CCfPXpEfNEI+Xwb5rTys/OneVKulqdPliad1WJgtbatGXRjzDYgL4e+uIQf/JLKn2x10wasch2550rg3FkHhQBWZ8kSrtXeKBilAPofQyLy2+ZkNJd/oL0fA4A61zKUSNNGdSQCOV4392jrMVGjWYZ+ttmGW1iasyMUW8ylJvXgObb3xQpYtj5mC9dJjSun9MpZ7Ayfe43x+ofB/8qbVjJsk772B4qntMCXAimfsUuPiSVRni648eBwB/G0XsR1xwfBBtvKvo4osU3okYOSwJZdidtWczwYRwmhikqeOHkcgU5j1hJGdzw9n0Gfkb9X5jSITw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cYjDkyMhWogW1ZzmQXWd7oJy+ETbdr0ApdXvA0SQci8=; b=YJMj5TZhhP83sqxKz2z++6c8dz5shxK2iiUX5OAxxco4fQghZD66+04RACgqSG+MYE0G5FdabebrdoRtf1SV7LcLplfDtSf7MlbMX09K9LI1jvk+c6Auv+Um9OHhIQ0HbrA+49o18/Rp8v7Ms8IxTe96Ux8NkcOek5dLB68a8lcX7envs4JrZqyQPzo8sprVXIGjN1vz5L09gubjXDQz1W+snSBguo1LVcISmMN3Jsd949iQrNnDB2urYBLwpJ42be9BKD9WY1TCaq899NQQabj7vEWYr7BeULGGC4Aw/lBmqTAmpGVGscT96NypsYJwO1LNolk1US1+luRO339Tgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Mike Ounsworth <ounsworth+ietf@gmail.com>, Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org>
Thread-Topic: [EXT] [lamps] Re: WG Last Call: draft-ietf-lamps-pq-composite-sigs-08 (Ends 2025-10-06)
Thread-Index: AQHcNfkvhjavL4Bi6kKeA9HYu6IOUbSzr5UAgAAMmQCAABBIAIAAHloAgAFSiICAADc1gIAAINWAgAAFbACAAADVDg==
Date: Mon, 06 Oct 2025 20:59:03 +0000
Message-ID: <BN0P110MB14193AD8816C7FCD4A5F643790E3A@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
References: <175855620751.648048.16646357165291761730@dt-datatracker-6c6cdf7f94-h6rnn> <CANKrMkhQEz=jtgS_Atch6EPcj7bSDySyhESRvUdVqFnWHD2o9g@mail.gmail.com> <b5883421-0e28-445c-91bb-b2cae0016077@bouncycastle.org> <CAKZgXHodTJCBHBGJhGGkmVtWeXncgmG+-bozrJOKm7DPiwh28g@mail.gmail.com> <9773258e-3122-49d8-a40f-f9e5e8e68002@dennis-jackson.uk> <CAEEbLAbQAs1-yzOHgoAtsMxOYCtVkcRcbuhyoDCoQQJ-FO_G0A@mail.gmail.com> <4910a47c-199d-4c00-86ef-73df3c60b689@crypto4a.com> <CAKZgXHo=xJTvvLKvw=E6qh7jLbgP5b5b_cpoOcneHGHqzqJxaQ@mail.gmail.com> <a8fa1db6-bde4-4775-9ebc-e47ea963f367@dennis-jackson.uk> <CAKZgXHrn45OK-X=JxWY0E9m=s7+pCBqFQk3bKTJ7fOQ=A2LeLg@mail.gmail.com>
In-Reply-To: <CAKZgXHrn45OK-X=JxWY0E9m=s7+pCBqFQk3bKTJ7fOQ=A2LeLg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|BNAP110MB2127:EE_
x-ms-office365-filtering-correlation-id: 86084c47-29e5-47ad-5c8d-08de051b36d0
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|4022899009|38070700021|13003099007|8096899003;
x-microsoft-antispam-message-info: kjF/meN4+gbaJJZVeJrWx9hO1ytS1l0f45hvwgEyUfujMMp0U+Spof1LJ7E9qDHKTwaistumFG54W8jlnPmXIxOWm0d4k/NSAOowHGFZUYR9mHjvSlug6fUKVcT+doFqV7DEEfYa5oS53MxcwCPGXMriKARhV3Sg0D20nKFi+OVkGYyMu3ZL0FEV0zuv+OQhfFaxHfoflX1+BTbdldryrYrc2hlXWyB8a3pFBXknHuLLFu64mC620VW84Oqvumt729WnhSN78KbR/yVZutU0cOhX6OAi2flqEOalmgXHJKVrc7tyw2VNFBkJecxgmHFDtQe1J5nasa39m5aqOTwwNiGjpIhsry7Tf86E1lZ26MuhTJe0ZRF+N6rjTPIgz+ahGXdCfVErqhrsWoTo2TC6b7xCLUja4hAjrnbPFuFvqBmFdfylOSqB/WqfvQoxlYRuA7B5F53tdV9810TmyoN2PfMC1UqGWaYfinz/jrTs4ykrEU0CRXdYvbYHoEi3bI2LZKckqTDLXwR0qxsiTyvjUWCH7vhu1TVyS3Eu3EsEt3lJ4JpLlOVFWI/kLclIvEUujoYxhWrssWgDiNsoBa5AIOoWQ8xMLnNGzDTYjMaoaOFFHHRf1ocAwgXv8tX0vZbPJVrnnoYY4UBzpVtmM0M45saOykKNzZOleCf85cdaPCOEkOVUmJALtgkqMwL8VjxW5O1ur2a6hKgP+rnfJk0i3gLqjuc4+bCuXC42rla1JrkFjuYwXNdjKy69p9COyzKsIQLMGCLh5GvlmyHg5dWxUl3b+h+sz7KT7cQZMtMUl6rRjunM+nCgNhdAzV/QYhF0467OfHI9jSy/TZr8lmzvVs0vNjCbMbOV5sASO8iIiD1SNOciazHK/jVSLR2uJNtWe6q7PcaGMy2jdbBH2dlzY/F7VIMt4Z9ksTfAnEmlZMAFa74qrHlaB9FmF2WVqsw9zgR90eTNH8z1ts0PdfCz2VSSaFQxrPeHqqOZda1PIUuxRT8Ue0knfXHBVzixyKT30acq3+LKXP/ekbaE+DQaDh4KcxCPch0vdWepax7dbPLZue7eVey3BpHZB9DhiE+rjYHhl25OiGt3SLgAOuIjjczlDocfVnkr9GFlWfaEeY6fEvcA+lYr2VEHgsf1Pt/4bZ4JYm30dATajK+d+9Mttk53vhQIqeBr5cvS0ljVG5gClo+cZVRplBc+OU96dAUQLeEQILyFnzLCZu1WsBQrWmps8HO6/ZGPu+V0zFpol7GApxptECsDVr16fxUFDZFMSIH0+coGOTW1HCNIft1sQwwx6pit6UIYwiaM5n58TiIcZFLUD7ee2bhtwUja0Jv/DkP3PgXHcP9r5RtXUy2WLp7hjezacBf47caN1K7VdOnJ11DDDpIXe8EKnsQmc9lPd0q/9NUxRei4OUuWC6QCd+/zvp62aY1ySmbwwk6LfXl0e0I63LGb8+YJmv/rYZFztcxp3ncA7XsL51Uz1/Ty2g==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(4022899009)(38070700021)(13003099007)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: TUbPhELCk/TyfYOxX1tZCZtsmdlw2IZMrfIsyo/aF8AEHVlU8YxGQXHErUSv7xOlpR7+zfnoVGomSPs84rL9qz5Bz7LksL1hyz3f41eqnOL9CY2VUp/X4PI+qI5JCwRgtWkk0conWBBuqmNhM125YZ799D+rrE9TQxsVhkBsmS3jj/SfyXXjKQ3j1x64xAHqJB70jxZ9VmUy7Az9CG2Az2YoJ7dtqsW1h25JKZywWV3o569dE7NrXJMSzmgVZbGciC0RjrG1VU+kaEoB4to2kxWdGdknwSw9F4Zs2subM60+/HtMJ3qoMinAMxVFFS1hoMKrrViuiMxXKk47A3bg7UiJQ5Vr83INue+sTPVVfPjkgYBQFn7hP5hVzg4H4rggOA4HcoL/F0372PSve7fGG7vS5FpTFw/rrfG8aMQIoyxKMUDlW5yn8BMoqBZlpi0jvOubOOs+rgSbB5OoSC247ktVp5wRfwi4TdsVVIF3Iz++hnfV0STF4fKY6CCPcyl+BWeLmWnbVTBpUU+lchG/pACcPtqVb9AZw3Zaja7sAUdVT5xreL8hBkSuPr+Ts4NHyLSap+M8B+g0RQJMvDAgwY6oaTTMpqh8ZHFz1S8UwKYsQA+TN9TgcZOZfVZ7bCB1iZJahSx2DoadN+b1QuFLALCh2pRoDB6xsf+Xh0eOwhQgQFZdJsMOjRILWLwNadpPwnzis1p19JtVmL8YI1oPlFa21zqAlTCPArNbxY5Ux5R9s2QoIra9nWeZk3DUdTMFwizMzgyp6MJ/lCDgiUpCykZTM9/3dypZpd0qzmPPncU5+sBFF7PDBtfEu89QNTq0rmd8NGHWUvG0IdMAUrQSSyOJsieCs/7wWpfO3ZBe+ct7aR7Jk8wq2YkB7M8MsBtrNBgF96Prz/gQ83zylweCT4p/56YX/nJgNTrTHWb01Uv55VvimsFGEogh9HD4lNjVcjhzriceM5+a9MenUNOV2KKVBB9Uc0mjFmxBGmbjTmksrep8IdNaTIqyNVzDhim6eePNU0Z8rJKSxvvZfxZ+cCepnOAIFcsSyk+tGPmiLz/4x0AEbxqTLwsl5eLidhKsSWrsap0OZjfEuWDwmyp+VruqfOuAGNLR8UTVJdV+pfAVUrgH2yf4C96MaD63kqM72ScBJXtnaMs2OnrkReFmkd5l7yWIdjCRfcYqT7MFTAaDJTCjhAJWtL3lH43bmIaTs4PHKCitBk2z8VU6Iq189SkZdvtg6HupYMkUaa5+9QZgSS/Hcco+4LLmNxCt1bqa4GfD5YSYhqRbtKszu8BpYP8kOWLm37qUQMMRjWF2CWXK2q3rKeTG5QgkNr4sBkGrYewlDvyyGSo/ggRFMm6QjtYRsZF5/Pzewv+ZDK0oKEVrmwg7QkIx8l7E6BTNKGC3o7TvavAphFvZnJu/AS457+FnEn8iKNm7n1evUM20Si47EfHMLroeVUW1ATN4DvVK+IrOu06O0YO5S7JSeLd0DTsCGCfXbHAOZYo154194bY=
Content-Type: multipart/alternative; boundary="_000_BN0P110MB14193AD8816C7FCD4A5F643790E3ABN0P110MB1419NAMP_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 86084c47-29e5-47ad-5c8d-08de051b36d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Oct 2025 20:59:17.4441 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BNAP110MB2127
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMDA2MDE2NCBTYWx0ZWRfX/X7a8DhpNAIA Br506DsaaKHjpGiFWxowB/wM1D3zNfEqd2mNUa4ZYt+2G7388CjhXUCkVPXFza1IHwOP4PX8iGk e8bo5U+mUNfGHyScc1jbTMq9psI6NUpgvhCTKTBCe8sLhNkoHpr77wfe9xkK19qo3AtPZu5O9bv 6unkVXlpfuwHiubpb3eAkVKjB5XcjQSxZYL5dEuHo2aXZ3vhRV8ONEKHpMEpW76gc/Ax1VNmX28 dyIu1ZMQ7PrQjaVuCIRMaw4R8RS7ZpuQSF67Zv1nDcdzHUuILIgw==
X-Proofpoint-ORIG-GUID: JR8ZzrM8A9daWdblYWCALbCOg6MECMeK
X-Proofpoint-GUID: JR8ZzrM8A9daWdblYWCALbCOg6MECMeK
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-10-06_06,2025-10-06_01,2025-03-28_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 adultscore=0 malwarescore=0 bulkscore=0 mlxscore=0 mlxlogscore=999 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2509150000 definitions=main-2510060164
Message-ID-Hash: 2PEPHZJOMJXETDQHCC6XAD6MRQ65NQRX
X-Message-ID-Hash: 2PEPHZJOMJXETDQHCC6XAD6MRQ65NQRX
X-MailFrom: prvs=437473c62b=uri@ll.mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "spasm@ietf.org" <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] Re: [EXT] Re: WG Last Call: draft-ietf-lamps-pq-composite-sigs-08 (Ends 2025-10-06)
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/6UcPccwXB7bdFfPLlg3NpPvmdH0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

This is not technically *new* information, since this was brought up in Bangkok and Madrid, and voted down 42 - 1. But I am not convinced that that was a mistake, and I'm fairly happy with my PR because for the low low price of a 2 byte length tag, the people who need CHOICE can do CHOICE, and the people who don't can ignore it. It's hard for me to imagine on what technical grounds someone could object to this.

Technical grounds: mainly, an extra attack surface and the extra (unnecessary!) complexity of processing/implementing/validating/etc.


On Mon, 6 Oct 2025 at 15:35, Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org<mailto:40dennis-jackson.uk@dmarc.ietf.org>> wrote:
Hi Mike,

As I said to you privately:

> Thank you for putting it together Mike! I'm not thrilled about CHOICE for the same reasons as for the KEM hybrids, but if we are forced down this line (I'm not convinced yet) then this seems pretty solid
I have seen no argument that we are forced down this line. Unless
someone can bring some compelling new argument or evidence, I don't
think we should re-open this topic.

Best,
Dennis

On 06/10/2025 19:37, Mike Ounsworth wrote:
> Hi,
>
> So, I am hearing people say that it's necessary to support {seed,
> expandedkey, both}. I am hearing people say that it's not.
>
> What I have not heard, is anyone say that they cannot live with this PR.
> https://github.com/lamps-wg/draft-composite-sigs/pull/292
>
> Essentially, it adds a 2-byte length value to the private key format:
>     output len(mldsaSK) || mldsaSk || tradSK
> and then says that since mldsaSK can only take a finite number of forms,
> the length serves double-duty as a tag according to this table:
>
> | ML-DSA alg  | seed  | expandedKey  | both |
> | ----------- | ----- | ------------ | ---- |
> | ML-DSA-44   | 32    | 2560         | 2592 |
> | ML-DSA-65   | 32    | 4032         | 4064 |
> | ML-DSA-87   | 32    | 4896         | 4928 |
>
> I have heard David Hook say that it's not as much encoding (ASN.1) as he
> would like, but he can live with it. I have heard Dennis Jackson say that
> it's more encoding that he would like, but he can live with it.
>
> Pending any hard objections, I am going to merge this PR and then ask Russ
> to pass the WGLC and to ask IANA for official OIDs this week.
> @Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>  -- yes please?
>
>
> On Mon, 6 Oct 2025 at 10:20, Jean-Pierre Fiset <jp@crypto4a.com<mailto:jp@crypto4a.com>> wrote:
>
>> I agree with Sophie's position and perspective.
>>
>> Furthermore, I do not believe that we need to revisit the expanded format
>> as there are no prior implementation (that we know of) in production use.
>>
>> JP
>> On 10/5/25 15:08, Sophie Schmieg wrote:
>>
>> I'm not sure what objections Tim refers to here. As Dennis mentioned, as
>> far as I can tell, all necessary design decisions have been voted on in
>> Madrid and have been decided with what I would characterize as overwhelming
>> working group consensus. We should not revisit these decisions given that
>> no new arguments have been made (and really only security arguments should
>> get us to revisit them at all now in my opinion).
>>
>> We are running out of time when it comes to composite signatures. I
>> already had to greenlight multiple pure-only projects to proceed, simply
>> because no stable signature combiner exists as of yet. If we do not have a
>> published RFC (or, to be more precise, fixed IANA code points, i.e. a draft
>> that is fixed on the bytes on the wire that are produced) by the end of the
>> year, my prediction is that it will simply be too late for composite
>> signatures to see any meaningful adoption. The deadline for being done with
>> at least the majority of the PQC migration, set by various government
>> agencies, threat models, etc, is 2030. If we get an RFC by the end of year,
>> that leaves 4 years for implementation, which even includes various
>> downstream standardization decisions in many cases. We simply cannot afford
>> going back and forth on already decided points.
>>
>> On Sun, Oct 5, 2025 at 10:19 AM Dennis Jackson <ietf=
>> 40dennis-jackson.uk@dmarc.ietf.org<mailto:40dennis-jackson.uk@dmarc.ietf.org>> wrote:
>>
>>> Hi Mike,
>>>
>>> My understanding was that these arguments were brought up in Madrid [1]:
>>>
>>> Discussion about whether or not HSM modules do not support (and has no
>>> plans to support), seed.
>>> DB: there are existing keys whose seeds were lost. This was the concern.
>>> Since we forbid key re-use, and we have an upgrade path, there should be
>>> no issue.
>>> VD: people bought modules, dont know how to upgrade, and we had
>>> stand-alone keys, so can we have a length?
>>>
>>>
>>> and the result of that discussion was a nearly unanimous consensus on the
>>> private key format:
>>>
>>> POLL: Can you live with the seed-only private key format?
>>> Y: 42, NO: 1, NoOpinion: 7.
>>>
>>>
>>> I don't think we should re-open any discussion we've found consensus and
>>> I think that applies doubly when we're in WGLC, it's a breaking change and
>>> this is a draft that other WGs are depending upon.
>>>
>>> Best,
>>> Dennis
>>>
>>> [1]
>>> https://datatracker.ietf.org/meeting/123/materials/minutes-123-lamps-202507220730-00
>>>
>>> On 05/10/2025 17:21, Mike Ounsworth wrote:
>>>
>>> Thank you David for explaining the sticking point here.
>>>
>>> I am sympathetic to this point:
>>>
>>>> there's going to be hardware in process (for certification), possibly
>>> even in the field now, which also will only export expanded keys and it
>>> many cases updating such hardware may be very difficult, if not impossible.
>>>
>>> This point was brought up as far back as Bangkok (March 2025), and
>>> out-voted by the LAMPS WG and the composite authors with the hand-wave
>>> ("well, then those devices won't be able to do composites, oh well").
>>> Perhaps that was the wrong answer. I am willing to re-open that discussion.
>>>
>>> David suggests:
>>>
>>>> If there is still a chance of discussion I would like to propose that
>>> the private key is encoded as a sequence of two octet strings,
>>>
>>> I am interpreting "sequence of two octet strings" to be the ASN.1 type
>>> SEQUENCE SIZE (2) of OCTET STRING, and not a custom byte encoding.
>>> One of the constraints that the composite authors have is that while
>>> Composite is being standardized in LAMPS, it is not really part of X.509,
>>> it is really a standalone cryptographic primitive that really should have
>>> gone through CFRG, and we want the primitive standardized here to be
>>> re-usable across JWT, CWT, HPKE, which means no ASN.1 in the key encodings.
>>> Also, I don't want to have Composite ML-DSA have a totally different
>>> encoding from Composite ML-KEM. Let me noodle for a few hours on how to
>>> shoehorn the CHOICE thing in here in a way that won't make the authors of
>>> the downstream JWT and CWT drafts balk. I'll open a PR.
>>>
>>> Unfortunately, this will be a breaking change that will need design
>>> discussion, so @Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> , I think this means
>>> Composite Signatures fails WGLC :(
>>>
>>> On Sun, 5 Oct 2025 at 10:36, David Hook <dgh@bouncycastle.org<mailto:dgh@bouncycastle.org>> wrote:
>>>
>>>> At the risk of sticking my head out of my foxhole at the wrong time, I
>>>> also have one big reservation about the current draft.
>>>>
>>>> At the moment the private key is being encoded with the ML-DSA component
>>>> as fixed length based on just the seed. While one of the compelling points
>>>> around the original private key discussion in lamps (I hope) was around the
>>>> presence of legacy expanded keys which couldn't simply be encoded as seeds
>>>> as the "seed only ship" had already sailed for some, we should have
>>>> probably made a point concerning the fact that there's going to be hardware
>>>> in process (for certification), possibly even in the field now, which also
>>>> will only export expanded keys and it many cases updating such hardware may
>>>> be very difficult, if not impossible. As this is the case, it is not really
>>>> correct that the new composite encoding will work for all new ML-DSA
>>>> private keys, it is restricted to new ML-DSA private keys for which a seed
>>>> only encoding exists. At the moment only the ML-DSA private key draft will
>>>> work for all ML-DSA private keys and I think it would be both a shame, even
>>>> a loss, that this may not turn out to be true for composite as well.
>>>>
>>>> If there is still a chance of discussion I would like to propose that
>>>> the private key is encoded as a sequence of two octet strings, with each
>>>> octet string based on what the privateKey field in the octet string would
>>>> have been if the keys had been encoded into their own PrivateKeyInfo
>>>> fields. This would allow people who are stuck with expanded private keys to
>>>> also make use of the algorithm and, at least in our case, simplify
>>>> reconstruction, as then the octet strings could be loaded straight into
>>>> PrivateKeyInfo structures suitable for passing to a key factory (rather
>>>> than what we need to do now, which is extract the right number of bytes,
>>>> reconstruct the surrounding octet string and then build a PrivateKeyInfo
>>>> structure around it...). It also means people can still use seed, it will
>>>> just cost 4, perhaps 5 extra bytes, allowing for the sequence header and
>>>> the implicitly tagged octet string for the seed.
>>>>
>>>> I think also, given that Falcon is on it's way, and there is also the
>>>> current on-going signature competition, it would provide a more general way
>>>> of future proofing the standard to allow for a simple method of including
>>>> different private key types when appropriate.
>>>>
>>>> Other than that, we have a few organizations very keen to start using
>>>> composite and who are already experimenting with it. It seems to be showing
>>>> a lot of promise in the use of firmware signing amongst other things.
>>>>
>>>> With respect,
>>>>
>>>> David
>>>>
>>>> On 6/10/25 00:08, Tim Hudson wrote:
>>>>
>>>> At this time, I am not in favour of this draft, for the reasons already
>>>> discussed on list that we don't need to revisit here.
>>>> I will encourage various libraries and other standards body groups to
>>>> not implement this in the form proposed.
>>>>
>>>> Note this view is unchanged by draft-ietf-lamps-pq-composite-sigs-09 and
>>>> I find it a somewhat unexpected process to have a WGLC active and to be
>>>> simultanously changing the document.
>>>> I would have expected the WGLC to be terminated if the editors felt that
>>>> items needed addressing.
>>>>
>>>> Tim.
>>>>
>>>>
>>>> On Mon, Sep 22, 2025 at 5:50 PM Russ Housley via Datatracker <
>>>> noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
>>>>
>>>>> Subject: WG Last Call: draft-ietf-lamps-pq-composite-sigs-08 (Ends
>>>>> 2025-10-06)
>>>>>
>>>>> This message starts a 2-week WG Last Call for this document.
>>>>>
>>>>> Abstract:
>>>>>     This document defines combinations of ML-DSA [FIPS.204] in hybrid
>>>>>     with traditional algorithms RSASSA-PKCS1-v1.5, RSASSA-PSS, ECDSA,
>>>>>     Ed25519, and Ed448.  These combinations are tailored to meet security
>>>>>     best practices and regulatory guidelines.  Composite ML-DSA is
>>>>>     applicable in any application that uses X.509 or PKIX data structures
>>>>>     that accept ML-DSA, but where the operator wants extra protection
>>>>>     against breaks or catastrophic bugs in ML-DSA.
>>>>>
>>>>> File can be retrieved from:
>>>>> https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/
>>>>>
>>>>> Please review and indicate your support or objection to proceed with the
>>>>> publication of this document by replying to this email keeping
>>>>> spasm@ietf.org<mailto:spasm@ietf.org>
>>>>> in copy. Objections should be motivated and suggestions to resolve them
>>>>> are
>>>>> highly appreciated.
>>>>>
>>>>> Authors, and WG participants in general, are reminded again of the
>>>>> Intellectual Property Rights (IPR) disclosure obligations described in
>>>>> BCP 79
>>>>> [1]. Appropriate IPR disclosures required for full conformance with the
>>>>> provisions of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware
>>>>> of
>>>>> any. Sanctions available for application to violators of IETF IPR
>>>>> Policy can
>>>>> be found at [3].
>>>>>
>>>>> Thank you.
>>>>>
>>>>> [1] https://datatracker.ietf.org/doc/bcp78/
>>>>> [2] https://datatracker.ietf.org/doc/bcp79/
>>>>> [3] https://datatracker.ietf.org/doc/rfc6701/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Spasm mailing list -- spasm@ietf.org<mailto:spasm@ietf.org>
>>>>> To unsubscribe send an email to spasm-leave@ietf.org<mailto:spasm-leave@ietf.org>
>>>>>
>>>> _______________________________________________
>>>> Spasm mailing list -- spasm@ietf.org<mailto:spasm@ietf.org>
>>>> To unsubscribe send an email to spasm-leave@ietf.org<mailto:spasm-leave@ietf.org>
>>>>
>>>>
>>>> _______________________________________________
>>>> Spasm mailing list -- spasm@ietf.org<mailto:spasm@ietf.org>
>>>> To unsubscribe send an email to spasm-leave@ietf.org<mailto:spasm-leave@ietf.org>
>>>>
>>> _______________________________________________
>>> Spasm mailing list -- spasm@ietf.org<mailto:spasm@ietf.org>
>>> To unsubscribe send an email to spasm-leave@ietf.org<mailto:spasm-leave@ietf.org>
>>>
>>> _______________________________________________
>>> Spasm mailing list -- spasm@ietf.org<mailto:spasm@ietf.org>
>>> To unsubscribe send an email to spasm-leave@ietf.org<mailto:spasm-leave@ietf.org>
>>>
>>
>> --
>>
>> Sophie Schmieg | Information Security Engineer | ISE Crypto |
>> sschmieg@google.com<mailto:sschmieg@google.com>
>>
>>
>> _______________________________________________
>> Spasm mailing list -- spasm@ietf.org<mailto:spasm@ietf.org>
>> To unsubscribe send an email to spasm-leave@ietf.org<mailto:spasm-leave@ietf.org>
>>
>> _______________________________________________
>> Spasm mailing list -- spasm@ietf.org<mailto:spasm@ietf.org>
>> To unsubscribe send an email to spasm-leave@ietf.org<mailto:spasm-leave@ietf.org>
>>
>
> _______________________________________________
> Spasm mailing list -- spasm@ietf.org<mailto:spasm@ietf.org>
> To unsubscribe send an email to spasm-leave@ietf.org<mailto:spasm-leave@ietf.org>

_______________________________________________
Spasm mailing list -- spasm@ietf.org<mailto:spasm@ietf.org>
To unsubscribe send an email to spasm-leave@ietf.org<mailto:spasm-leave@ietf.org>

v2.37.1 | Report a Bug | By Email | System Status