[lamps] Re: Mike Bishop's No Objection on draft-ietf-lamps-pq-composite-sigs-15: (with COMMENT)
Mike Ounsworth <ounsworth+ietf@gmail.com> Thu, 09 April 2026 21:22 UTC
Return-Path: <ounsworth@gmail.com>
X-Original-To: spasm@mail2.ietf.org
Delivered-To: spasm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B2E66D90C8CF for <spasm@mail2.ietf.org>; Thu, 9 Apr 2026 14:22:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775769774; bh=S+TVoQ6TCtqrGRn+lrxk9TzyXjycmH7eRKEJyPmvifc=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=MARLAUwBbbPvqzx4suTgaakGMkuglFxb/ji0anTINwqIH/+xs6GeQgKbfbUz6Ripn TyUqRGxk5NUcs6YMfjpmF2ZrW0i/nyBU94pA4diIBkIP6Zq+rJ+xZktTZLqFUMH5m5 g6ImKOxLhP3HUlLCja2HcXW2RW/Twt9DGI835hiw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7I__6mj1IvIr for <spasm@mail2.ietf.org>; Thu, 9 Apr 2026 14:22:53 -0700 (PDT)
Received: from mail-oo1-xc32.google.com (mail-oo1-xc32.google.com [IPv6:2607:f8b0:4864:20::c32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D44FDD90C8C1 for <spasm@ietf.org>; Thu, 9 Apr 2026 14:22:53 -0700 (PDT)
Received: by mail-oo1-xc32.google.com with SMTP id 006d021491bc7-688a8e5fe5eso778244eaf.1 for <spasm@ietf.org>; Thu, 09 Apr 2026 14:22:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775769767; cv=none; d=google.com; s=arc-20240605; b=kA5PecbOgm04Dn11LLiIz2zHo1dvSyCdrjnyl5RGSRF5DSlKbV+D/giOUxTo0WLt8Q ypWl0ym22TDF5o/QhC+nC4D6t1bG07DI+HBTccWhQJqCHLlQjRb06EBkh3s7llL5P9kA 2Ub+exT1Nz+JYDFnZf6wkj3G7Kgiti1vIKc1CX+d0dzwy6JP2VCFen47lwmslqu+kHdT J4U81mjG3CJrYjPEaRWLDiTR+zRFAhe7isa2RwSuamPlaMJCy3oef13pU/1sUe+g2BLq Q4grrXu8lVKySR9E8od/vc7s10s1zreiWOIIFT8kYGdlcNXv71xQ4r8Uwvf4sx/R67Ds tLFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=bp+qIa4/liPH/J+6xfWtdE9bFPkqRudOUJMFR252AW8=; fh=waWS6KUVUwe0t76KbSF4kyjDGJa1SIJKcbQj5qV+ONQ=; b=IFAomgBOaN0jV8Jq2QjwyoU4NdDqshY6DFiqc3q799V9fLjbChHiiEU/ObV577KG/i mF0NXdmF4WnoREWBoHyjjBRIw+z+kW2ybU//N8rAb4wSv6LF3Z98zK7Dee2yxD7wxmN8 NOntd6EWcZBwcuV4kKAOBMMWOzPTSiuiw9XtmolheCqNMGb3Z/6/ZCmSWtz1mxc+xvyu tx/vERwZmfGeH60yFAwvIwKzAm/VYC/ZPa+fNmHqJc4HYaC15h2KEn30RO7aDxRpPmIP aC3qod04Rcll0dH/UKFEsvlUlc+1URSLs4rAPqHYgiPlAPS44c31hog5tl2voxqNuBDO 7mfw==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775769767; x=1776374567; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bp+qIa4/liPH/J+6xfWtdE9bFPkqRudOUJMFR252AW8=; b=SEBS5XkLvMENpi7rdE+m9svSz+lrf1Bj80rgnCd14mBaNpZIdsQymRjKw83Cvkosu7 nOm7rY3o2l17aWN1jTuhEDKNt1mPlcm6h4a2kiBTY9THjwVyvODxeHXjl4zN7fZbwmJB crVCbJM2tmt5oIq+0uNNsQiSrPcQIi0WfD7XzKFYo0YMxp8Avg3uvCv3D0MqAHnGI+Ja vJDkgHMpjLy7FwCOyjxewZCsNImpJMLUZSuLj1zUZRFAxSjhY/MTkp5cmm554xVZne1v aO9fhVkDVpRglTyD51hrGvd9EpFdb1SZB+PxPWqHz7w7avLl5hhoXCO0dy3+nJxxy34b vb8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775769767; x=1776374567; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=bp+qIa4/liPH/J+6xfWtdE9bFPkqRudOUJMFR252AW8=; b=Mkt/1ModfAPSHy35Eq6h3XirZWothLbU68NCJfgq1lPVVkFqx+bMzK7uKnLzP7uVRh 8qlLM3XLXFO7niIRFH/NHXjgLBX3hStZaQj4OsupfYS7VbEHBiqToSykZ6B4uLE4+Ivm dLRg8CKqCA9mjGEtArFW5UBTH6IGg8eMsoHwWX9XwE7DEVKemu8Hj4D6X6uDvvI0FdBy +ncarkQugd9i8DM8TMqtPFuRUJ9vjT7CsOheiY2I2ej6C0LvMpt+gDVSjoKhvvXqvyR0 LBQ2t6DvkFnhvdzxyQnzoCzCwFrra7A/yCQt56ZCZIrScg+cBRpgWhLgKO+p2DEyhYBt GOZQ==
X-Forwarded-Encrypted: i=1; AJvYcCXfjBOLtM/DWueZpffXh5bDKmB4RSp67oGUoXhVo4w48U1LjLh85/IZYLUdHSctFY6LVlOyTA==@ietf.org
X-Gm-Message-State: AOJu0YyPZLYlcYxXtypiCmzlab76sumjHa0HRyNW17F3mujBvrY09J4/ dC9iMcw5VGCfyDy7DiAJh7PN55apUcucU6rtRwuYt0PzAukikIuUfz5iaSonAd2lwtJsNkH35N9 c2Z51Rm7hdbwl46Z9yNZ6JE2aOgstU58=
X-Gm-Gg: AeBDietOF0QiqB2trQyrtgnNSAnvbwqpRnlXajj9Hm9bqLOvn7M+IfRQ0Vqn+Z2NFlO 8R9GJneVbXrSXyHJXhy4R0BqZjy9nBA9n3y1AWaFO3pUt0/lbRX8WuYMkv0VjEY2cSyEmsRtr9s +icYdWPRhMlt2P6LMNb1cOzpspEdGvM+cSBz2BdsG/JjY2BEepKnDjILk/qqcNJb/z8y57FeUyL BHqgCgRtXzFeFvgaHJMTzSfjvOdluv3qPvU8Zr7UHFRCAj/vDPXj6aIUNDLW8eobgE6ZaMF6G7+ 6+7l0ct2J2+mMMT7Frwj
X-Received: by 2002:a05:6820:1f10:b0:680:188e:47fb with SMTP id 006d021491bc7-68be671aee3mr412083eaf.28.1775769766851; Thu, 09 Apr 2026 14:22:46 -0700 (PDT)
MIME-Version: 1.0
References: <177505503029.1878830.18439971232258801938@dt-datatracker-5775bcb475-pnkww> <CAKZgXHpMPz1vTfnhSzW9YVmyD3dABCw6S_mp3DQcV0+p-2=m2w@mail.gmail.com> <IA0PPF726CD7A1F6F069AB802925BBA6242DA582@IA0PPF726CD7A1F.namprd22.prod.outlook.com> <CAKZgXHrnYNftEL_8=rjtWWejW83nUAMgAxyT3ezM9_N_bTn6WQ@mail.gmail.com> <IA0PPF726CD7A1F378CB56696F62B8C8003DA582@IA0PPF726CD7A1F.namprd22.prod.outlook.com>
In-Reply-To: <IA0PPF726CD7A1F378CB56696F62B8C8003DA582@IA0PPF726CD7A1F.namprd22.prod.outlook.com>
From: Mike Ounsworth <ounsworth+ietf@gmail.com>
Date: Thu, 09 Apr 2026 16:22:34 -0500
X-Gm-Features: AQROBzAz1jFxDSZT_VC-I_WtbxGNbi6ogE28XIZGv_kwqZPCT8myqpAaoPAq8Nc
Message-ID: <CAKZgXHoNKwObHOy21nPrkKLGawzr_p+9rws+boxuZzC_8tkC3A@mail.gmail.com>
To: Mike Bishop <mbishop@evequefou.be>
Content-Type: multipart/alternative; boundary="00000000000027f913064f0d9e43"
Message-ID-Hash: YW66ZQCZQ3OETYHHYLV46LCSARKAVCTF
X-Message-ID-Hash: YW66ZQCZQ3OETYHHYLV46LCSARKAVCTF
X-MailFrom: ounsworth@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-lamps-pq-composite-sigs@ietf.org" <draft-ietf-lamps-pq-composite-sigs@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] Re: Mike Bishop's No Objection on draft-ietf-lamps-pq-composite-sigs-15: (with COMMENT)
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/bSMpOhGy8EGDumctJSlcJmVyrkI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>
Mike, Do I get the honour of being your first author who decided to treat a COMMENT as a DISCUSS? -18 hopefully does what you want. (there's also a diff in there related to a discussion with Samuel Lee) https://author-tools.ietf.org/iddiff?url1=draft-ietf-lamps-pq-composite-sigs-17&url2=draft-ietf-lamps-pq-composite-sigs-18&difftype=--html I just noticed a typo in the new text "by by using". I'll fix that on github, but not worth a -19. On Thu, 9 Apr 2026 at 15:09, Mike Bishop <mbishop@evequefou.be> wrote: > The sources of randomness which meet their operational goals sound > severely limited, then. 🙂 The fallback I reference is the "If you really > have to reuse keys, at least do this other thing, we beg you" (using an > appropriate ctx value). > > I agree that the text is largely there; I'm mainly looking to reduce the > tacit permission to do stupid stuff. My proposed change would be: > > - Delete the first paragraph; lead with the justification rather than > the RFC6919 keyword > - Replace the last paragraph with something like "Using an > appropriate... composite signature somewhat mitigates, but does not > eliminate, the risks inherent in key reuse." > > > ------------------------------ > *From:* Mike Ounsworth <ounsworth+ietf@gmail.com> > *Sent:* Thursday, April 9, 2026 12:30 PM > *To:* Mike Bishop <mbishop@evequefou.be> > *Cc:* The IESG <iesg@ietf.org>; > draft-ietf-lamps-pq-composite-sigs@ietf.org < > draft-ietf-lamps-pq-composite-sigs@ietf.org>; housley@vigilsec.com < > housley@vigilsec.com>; lamps-chairs@ietf.org <lamps-chairs@ietf.org>; > spasm@ietf.org <spasm@ietf.org> > *Subject:* Re: [lamps] Mike Bishop's No Objection on > draft-ietf-lamps-pq-composite-sigs-15: (with COMMENT) > > Thanks Mike! > > > It MUST be freshly generated, but if there's concern about potential > collisions due to limited sources of randomness > > Yeah, so the reason behind wanting to bolt an ML-DSA key to an existing > RSA key is not to do with limited randomness, but rather to do with process > and audits, like, I've heard stories like "We've had this RSA key in > production for 85 years, and 35 government officials watched it be > generated, and we've syncronized it between datacentres by military > briefcase. So bolding an ML-DSA key to it is basically free (ie the audit > requirements don't prohibit that), but generating a fresh RSA key requires > us to re-do all that expensive and time-consuming ceremony". I'm > exaggerating of course, but sadly not by much. > > So I'm not sure what you mean by "fallback". We have people who we know > are going to do exactly the bad thing and lose basically all of the > security properties of this document. I'm not sure what "fallback" means in > that context? Does it mean "fall through the floor to your death"? > > > > If someone's operational constraints dictate disabling core security > features of the protocol, you've explained why that's a bad idea and also > discussed how to mitigate the fallout. > > Have we not done that already in 9.3? > > "key reuse MUST be avoided to prevent the introduction of EUF-CMA > vulnerabilities." > "In addition, there is a further implication to key reuse regarding > certificate revocation. ... Therefore, ..., CAs performing revocation > checks on a composite key SHOULD also check..." > "the weakening of security from doing so can be mitigated by using an > appropriate ctx value, such as ctx=Foobar-dual-cert-sig to indicate..." > > > PS -- I am treating this as a DISCUSS because I think it needs to be > discussed because Section 9.3 is in fact deeply uncomfortable for exactly > the reasons you're raising. And thank you for raising them. If we can > improve this text, I'd like to do that. > > On Thu, 9 Apr 2026 at 11:08, Mike Bishop <mbishop@evequefou.be> wrote: > > I'm thinking of something like > https://www.ietf.org/archive/id/draft-ietf-core-oscore-groupcomm-28.html#section-14.8, > which says "We take this security precaution, because if we didn't, the > following attack would work: ... The attack above is prevented because > (thing) leads to detection of the attack." You're wanting to hint at a > fallback position, so maybe also "Doing (alternative) would reduce the odds > of the attack succeeding, but not eliminate it." > > That is, document the reason the requirement is there, discuss the > fallback, and why it's helpful but not sufficient. If someone's operational > constraints dictate disabling core security features of the protocol, > you've explained why that's a bad idea and also discussed how to mitigate > the fallout. > > Another approach might be to phrase it as uncertainty. It MUST be freshly > generated, but if there's concern about potential collisions due to limited > sources of randomness, this additional step can mitigate the fallout of a > collision; if a "collision" is made more likely by someone's operational > setup, you've at least helped. > > ------------------------------ > *From:* Mike Ounsworth <ounsworth+ietf@gmail.com> > *Sent:* Wednesday, April 8, 2026 8:41 PM > *To:* Mike Bishop <mbishop@evequefou.be> > *Cc:* The IESG <iesg@ietf.org>; > draft-ietf-lamps-pq-composite-sigs@ietf.org < > draft-ietf-lamps-pq-composite-sigs@ietf.org>; housley@vigilsec.com < > housley@vigilsec.com>; lamps-chairs@ietf.org <lamps-chairs@ietf.org>; > spasm@ietf.org <spasm@ietf.org> > *Subject:* Re: [lamps] Mike Bishop's No Objection on > draft-ietf-lamps-pq-composite-sigs-15: (with COMMENT) > > Hi @Mike Bishop > > Thanks for the careful review. > > I have made these changes here: > > https://github.com/lamps-wg/draft-composite-sigs/commit/c2d3ca12014874ab5adbc3a4750ed59e36c54011 > > > I think this COMMENT of yours is really astute and probably actually > should be a DISCUSS. So let's discuss ;) > > In Section 9.3: > > > designers are aware that some implementers may be forced to break > > this rule due to operational constraints. This section documents the > > implications of doing so. > > This statement makes me nervous. Maybe this section should explain why the MUST > exists, and not touch any implied "permission" to violate it? > > > That section basically says "We are aware that people are going to have to > violate the core security requirement of the draft, so let's analyse > exactly what happens when you do". > Trust me, it also makes me nervous. Very nervous. > I have a customer in this situation, and trust me, I have tried my hardest > to talk them out of it. > The thinking here is that if we can't stop it, then at least we can > document what sharp pointy edges you need to watch out for. > Thoughts? > > On Wed, 1 Apr 2026 at 09:50, Mike Bishop via Datatracker <noreply@ietf.org> > wrote: > > Mike Bishop has entered the following ballot position for > draft-ietf-lamps-pq-composite-sigs-15: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for this work. This is an important step forward in our handling > of > PQ crypto. > > Section 3.1.1: There are a lot of MAY-examples in this section, when the > whole > thing is an overarching "MAY do whatever internally so long as the > external is > consistent." Consider not using MAY for every single example. > > ---- > > Section 4 has: > > > example, a stand-alone RSA private key can be encoded in Chinese > > Remainder Theorem form. In order to obtain interoperability, > > Consider an informative reference? > > ---- > > Section 6 has: > > > Labels are represented here as ASCII strings, but implementers MUST > > convert them to byte strings using the obvious ASCII conversions > > While they may be obvious, calling them so comes across a bit oddly. Maybe > just > say something like "Labels are represented here as ASCII strips, but are > octet > sequences when used in..." > > ---- > > Consider moving Section 6.2 to an appendix; it's not part of the core > protocol, > just design background. > > ---- > > In Section 9.1: > > > algorithm security or to provide migration flexibility. Let's > > quickly explore both. > > It's typically advised to avoid first- or second-person language in > specifications. I'd just drop this final sentence, personally. > > ---- > > In Section 9.3: > > > designers are aware that some implementers may be forced to break > > this rule due to operational constraints. This section documents the > > implications of doing so. > > This statement makes me nervous. Maybe this section should explain why the > MUST > exists, and not touch any implied "permission" to violate it? > > ---- > > In Section 9.4: > > > message which happens to start with this string. The designers > > accepted this trade-off. > > I would remove this last sentence. You've explained the trade-off; it's up > to > the implementers to decide whether it's worth making, no? > > ---- > > Consider moving Section 10 to an appendix. > > > > _______________________________________________ > Spasm mailing list -- spasm@ietf.org > To unsubscribe send an email to spasm-leave@ietf.org > >
- [lamps] Mike Bishop's No Objection on draft-ietf-… Mike Bishop via Datatracker
- [lamps] Re: Mike Bishop's No Objection on draft-i… Mike Ounsworth
- [lamps] Re: Mike Bishop's No Objection on draft-i… Mike Bishop
- [lamps] Re: Mike Bishop's No Objection on draft-i… Mike Ounsworth
- [lamps] Re: Mike Bishop's No Objection on draft-i… Mike Bishop
- [lamps] Re: Mike Bishop's No Objection on draft-i… Mike Ounsworth