Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1])
	by mail2.ietf.org (Postfix) with ESMTP id A255FDDBC39C
	for <tls@mail2.ietf.org>; Thu, 16 Apr 2026 10:31:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
	t=1776360714; bh=mhPBAtpjupCv1dh5QaIr6xsuzPPc9L5SXhNfZlw8tDA=;
	h=From:To:Subject:Date;
	b=W0rMgQBznO7/xH5zJfiO+sXy5UdC2xaBFvBryqZHeOXB3ci3nY0IqM8T21h5sF5LU
	 UnapMcmrgRPvAyTV1vWczVd/ZzUw2bwR7ZV5DHYWSMdC4GvQSXxdL7IMqTvDyS+n0y
	 BWUKVaxRQ6xxU96j1b3iXNzyJyLUQu7P43rpg3XU=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level: 
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
	HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
	RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001,
	SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key)
	header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31])
	by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id vkO2x5FgZ_yC for <tls@mail2.ietf.org>;
	Thu, 16 Apr 2026 10:31:54 -0700 (PDT)
Received: from GVXPR05CU001.outbound.protection.outlook.com
 (mail-swedencentralazon11013011.outbound.protection.outlook.com
 [52.101.83.11])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest
 SHA256)
	(No client certificate requested)
	by mail2.ietf.org (Postfix) with ESMTPS id ED9CDDDBC38B
	for <tls@ietf.org>; Thu, 16 Apr 2026 10:31:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=EoRBphi36pSzOH6tLszRQxDja8HVfl4THbrLHtaclSPflnuCa6A/Jgbs8v6uz2duxAwZbcm29pKkGvNANX6Sae/i/JqNa2zoR1t8MoJiPZZh+v+LYWsnvea8S0RokS8Dk0eU0hDXq5HiUdFQuiiskcnyiisdnTRrPfKa9JgMYZOaDenfSLthmE6dAKzSpynCNDHsAmatddfCdcX5jDeX/o/U6xJpRvJEnSJRjqKMCBXHYzU9eOfTgH6KqGlUNaExKGAslWJ08zl6vtA7RZjTY8WB4Hs5/dAZ8DgTTYYxL1ZjEiv+Cfz02RXx6MGLdGB1HvrMlVomBnvwLl00Xa04bg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=mhPBAtpjupCv1dh5QaIr6xsuzPPc9L5SXhNfZlw8tDA=;
 b=CESx/tfVNu0K9/dmBCWhpL4Q8sSaeKLi9r0CZ+vq6zF2agfQGnpdGcuaMRe1SxG5S5rsxYDIEFh5yEjFpLL4pcfsr+PCBsgV2J5QgdQAX6/w+3VSpEo3mKvg41xBWH7WGDQd7hJcvty7J+9eNf30xtjcDrNhh1T0iRcCVqKd0IhtEsdOhNsbn5Z/4K5ICm+9GWBfJEWaMmgOyCoj/nV4S+XPeiljBY24jMMRoegoDRNt1yaHRzqXDrznqtnElW3z/Rl56cyA7C64I5xO7zGlIO5sr4XNKXCS9JPcOyVLIQ0mX28w91ydzhHGBgnBvttGx6E7lMIpjOkFVZJcWv/xPw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com;
 dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=mhPBAtpjupCv1dh5QaIr6xsuzPPc9L5SXhNfZlw8tDA=;
 b=Z8ySbd8AKoIwWj0rTdicgCfpL3OglfpURYmVPV2/dl6WGyL2QsdmEk3wZ8TxxGY1bfIPu4J691jQdjD2FhNmfgszZB9d33he1kGTF9vZx32mQXrEyTDxmO0QoGhh9ltpsHmRkLM/NQvberYnehBi/IwYW6N4GMly4nrhLC0PTDOOACZz0XcWa/cpnuNaSlrkO58jcntf3vIccuYbDcFYFEe1eBgA0DVKYYVwO6yVj6iiazWnTDeB7G2lIkMKsqIw3M0J50bm0ERfwxCAhrbcbR+Sm+Z56YUMUDutCJXxah4nfoMc3fvobv0Gt2peC7V2E4o3WC3pVROIScAGNzJ67A==
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com (2603:10a6:20b:4f3::15)
 by AMBPR07MB10685.eurprd07.prod.outlook.com (2603:10a6:20b:6a5::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.48; Thu, 16 Apr
 2026 17:31:45 +0000
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com
 ([fe80::11a4:5f37:fa92:f174]) by AS4PR07MB8825.eurprd07.prod.outlook.com
 ([fe80::11a4:5f37:fa92:f174%5]) with mapi id 15.20.9769.046; Thu, 16 Apr 2026
 17:31:44 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: TLS List <tls@ietf.org>
Thread-Topic: [TLS] Re: Composite ML-DSA
Thread-Index: AQHczcWfnfWPRqPDq0qvGAgMYbhWoQ==
Date: Thu, 16 Apr 2026 17:31:44 +0000
Message-ID: 
 <AS4PR07MB88250EF7936CDB2163D88C3089232@AS4PR07MB8825.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-reactions: allow
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS4PR07MB8825:EE_|AMBPR07MB10685:EE_
x-ms-office365-filtering-correlation-id: 81aa6ddc-1d45-40d6-aa63-08de9bde07d2
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: 
 BCL:0;ARA:13230040|1800799024|366016|376014|38070700021|11006099003|56012099003|18002099003|8096899003;
x-microsoft-antispam-message-info: 
 9eg6on769pGbPAfMumeQ1tjYik1+IQuQUvsKCgP55G3Aibxl/lejWjPOG64iOXheuPikVJ9yA5dMMbxjAonqno///iHYnJgqHIcg3kx9m9cENJ2hxk5nCbUtNjZKgGld3TF2F2JyMeeQyLw5ghWSQ3W0C0x/LQmpw38OiU6hKlsnXd94gz7ec6IwGWTnmBziJQ+EwRjsHFLw5LIdB6Q19CYX/TXmU0yS+KG9Be6zXE95GLp3dK4DwraeMMmnS2Qo4TJAg+rgJEQJPrNzEd6l9s+gXt2ngftrZKYSF0doQ8AE9RQrTk67tPZ+6iXnTzR3CMLvutq0ppMBhLpPX5KiKE2efM0vlQkeGxQcKtKyqiH1UNi/XmG0LG1jhGmekzjon04jrwU4o3aa7pOibal2GqlDK+LQYPT+eG+HZIa6bu3blIUZ65qfW0x8uvDrtzXNMnRsTLuoLqIKXbnfMlmygWDwXObVuRSaybcqzAoE3sm80TiHabPO1084sCFVpDmn0Mr9QB9N0t1bf4ZFtmf7ZjIAf6QkzceH40wjdj5on2w83XKiRwFT3bJnziG3dX0eOeozYhXz0k7EDX4/awMqLuLo4xFCBX64TKbLzYRa6OKI5EBtKAPB+yPirfnBt94SGXLgwZQK8p/9+uVsTuOkw79MUxGRBcLOliC7JNJS2IvoAn+eoBBfuYmoBACXZl7nQg903adCcCnjpgxqSr9T4mKjmyOC4y2kLexFXsj9/stqYIbA1mM5kzjcyYuTrD/qMFR2e7SlgtHwuvV9up37wnoQ7gfUbRgKvsF+3rpaY4o=
x-forefront-antispam-report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR07MB8825.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700021)(11006099003)(56012099003)(18002099003)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 
 =?Windows-1252?Q?bbcfATgD3XJORhlH4p2ocYmCY7U11U2Xi1FbC0Ai9bNz1R/0Q8QOPSW9?=
 =?Windows-1252?Q?Bsj5vUijIHgc5aPTotMgj2ALTK2r5tcevf30C8dEHVQq1vcTlnvExSF9?=
 =?Windows-1252?Q?GoqlEhtjAlLHC23NViLH2v53Iw3LilIvpyhvU3OmMW3anzNOng22BPoJ?=
 =?Windows-1252?Q?p1Rqb0gMaBnJ2b3zmh53VYMOjmOHbw4EU3L4y0DjmX8L0Ko6v2v64jUH?=
 =?Windows-1252?Q?CEXlW8WvokTOQjLQOMXq55wUegzitf8S75YhXOC2prk+J2pb1u4BOYda?=
 =?Windows-1252?Q?tACjECk9d7nvPiZwxq6bvhpwzrKFAk+1cFg14BlRRjR0IBj3bddyCHe4?=
 =?Windows-1252?Q?pBQAKEPbL3hRMsn+A/5TEPZiq8r86cJKnC+5O1TEvKjcd4WNbCHYRzxw?=
 =?Windows-1252?Q?YBC5skWGY2Q9yXOyQm8xXeUHMTrLwK284T6bqYEI9QHt2Tw1dohTE76l?=
 =?Windows-1252?Q?bhymd86Sk/YjE5gcEsDKjZADJL23jj9IYXIvZlT25DqWvMq3zTSMbgQ/?=
 =?Windows-1252?Q?gyQnFeD+qir+De+F4nZdqtwvBOuRQctpRaA75mONvFmmREycMBX+Nlef?=
 =?Windows-1252?Q?wNBakYRMiD6NQf/6qlT8s6VPmCxM5KWhkUNPr04YaM9mitbcYojSRMf5?=
 =?Windows-1252?Q?ZLoEJ6VKKSC/NzWaSb0nRIsU37uOKM0tSGNSJJZcyz/MBoMr3dW1/DsL?=
 =?Windows-1252?Q?QBTvpihYdkzZgF/Xtkll5g1sClbEzacKZKpdOy9UkNt9OUKp0SxGISS0?=
 =?Windows-1252?Q?UMxZ8TtGJQZk1Oqf/MQbYDIyeKU/qGI+KHlLSmURMb8CzMhlnbZfPYgn?=
 =?Windows-1252?Q?VWeGKCYEyoOmLgDCf4LFDm5smrviLlenlKESv4NVzkGDg4xSCEHBmNQV?=
 =?Windows-1252?Q?Dwr/39EzxsM8aWlvNEBErjS+4dvyg9+oKeStXKQQBP9nmc2PR5B4jRLY?=
 =?Windows-1252?Q?Ib8KubG34t2fGt0aw6EZSA2ma6TulYo5KGZNNnDGzW8TRh3MQ6lCNCDl?=
 =?Windows-1252?Q?hsxmfctD3uAssJN+Oom2c4SIbX4RrHBs0mkR4qrlex5+0RPtzXK4basP?=
 =?Windows-1252?Q?tC/1jnjFAkZsauq+pUmGouUYdACUqmrZW81IYBZHl80I+sTzqgKbLlTn?=
 =?Windows-1252?Q?hJXmWlHGcE2qrShw65gumObnsnFLOHty6RWWji9vPP2/ZLBj0zCzGFZf?=
 =?Windows-1252?Q?lc0RMXBGmnvpx/QoYLUVOh16CJCweei3Fq0hUBgDH0HDp6+QYRH6l4aa?=
 =?Windows-1252?Q?6jDm69xjpaXVm5Zfh2IGsQMsrrIwwTyC4E1TIsZx2Efg/PwPv3vBtOlF?=
 =?Windows-1252?Q?2Vi5EjZtfYlcW/FWHFh8BygSR0bSCu3zKaCqV6KMeq2RdTzvN4mAwrtv?=
 =?Windows-1252?Q?QDBmpLHkIh7P2iLLxOcN69Cxp+edomfe4wojCgeAeTbOTPDsyL1ofX7v?=
 =?Windows-1252?Q?kboQF0GN0VZ2/uXjpmC6EtcoycDx0M2yl3kp1f/73L5x7/FpiBbhdd1L?=
 =?Windows-1252?Q?0ax4F0ARiQawKCc+JN5Q37C1ZJFbMLL1yNjy8Bh/JLEvBXrSsrlvkKNy?=
 =?Windows-1252?Q?f1DXU/sGbg5qnSWEJH64bTzdwL04RJZoodYxZn8UrFRKvd1cKMuZVE8W?=
 =?Windows-1252?Q?6DrJpbDbSXSoxXUcLQfv+h4OSdc5B+i7iex1GoEtfKkPHvqaH1lxiNce?=
 =?Windows-1252?Q?Xfh6lRLZRZD18iteMmUA+xvc26J+Ey4k/7C/1up8pglrLWPFdvlvb/zj?=
 =?Windows-1252?Q?1niMSLbkrcb+HQCvgXxzOK9NNayPiVebCkaUevQ4ZFYhcG0B8nSSXH2m?=
 =?Windows-1252?Q?mO7AoOX6mRrbLXU2OkXRE0yGzs1B0aYwrT4XRERdiGTIfvNGyQ3LrTuW?=
 =?Windows-1252?Q?5xGppDqS48VeBrXnqJRUNY70iQinJQBvlVY=3D?=
Content-Type: multipart/alternative;
	boundary="_000_AS4PR07MB88250EF7936CDB2163D88C3089232AS4PR07MB8825eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS4PR07MB8825.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 81aa6ddc-1d45-40d6-aa63-08de9bde07d2
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2026 17:31:44.9260
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 
 OSYT2IPJ3yOzmGS1BnVhmKfp6Rpxj+7SlCJo71Q8tI3ZFAwKvLYLeign6gdKU3UYdcNI6C7H8/Qk7FGR5S3C8AqXmfuZ/JbMa5y8L7KE2n0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMBPR07MB10685
Message-ID-Hash: 6UMWMZADS6PRVUUYJ2QUWLAENMNCDKXG
X-Message-ID-Hash: 6UMWMZADS6PRVUUYJ2QUWLAENMNCDKXG
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-tls.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: =?utf-8?q?=5BTLS=5D_Re=3A_Composite_ML-DSA?=
List-Id: "This is the mailing list for the Transport Layer Security working
 group of the IETF." <tls.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/tls/Wo9h9hhKZyqxkjYLDhjFpqvBaoU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

--_000_AS4PR07MB88250EF7936CDB2163D88C3089232AS4PR07MB8825eurp_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Hi,

While I recommend everybody to use X25519MLKEM768, I do not think TLS shoul=
d work on hybrid authentication. If hybrid authentication is nevertheless w=
orked on, the composite signatures in draft-reddy-tls-composite-mldsa seem =
like the least suitable approach.

Work on hybrid signatures in 2026 is a distraction delaying the urgent migr=
ation to PQC signatures, particularly for PKI and long-lived devices. I see=
 little justification for placing less trust in ML-DSA than in RSA or ECDSA=
 (EdDSA is a good algorithm but is not widely used in TLS). In fact, the so=
oner RSA and ECDSA can be replaced by ML-DSA or SLH-DSA, the better. For th=
ose not yet ready to adopt ML-DSA, standalone SLH-DSA is the way to go.

All modern signature schemes (RSA-PSS, EdDSA, LMS, XMSS, ML-DSA, SLH-DSA, F=
N-DSA) avoid trivial attacks on strong unforgeability and provide a high le=
vel of SUF-CMA security. I do not think TLS should introduce any new weak s=
ignature algorithms such as draft-reddy-tls-composite-mldsa. draft-reddy-tl=
s-composite-mldsa goes against the principle in both US SP 800-227 and EU R=
oadmap for transition to PQC which states that hybrids should preserve the =
security properties of its components. The new cryptographic algorithms in =
draft-reddy-tls-composite-mldsa (which has not been vetted by CFRG) signifi=
cantly weakens the security properties of ML-DSA as they introduce trivial =
attacks on strong unforgeability.

With the algorithms in draft-reddy-tls-composite-mldsa, a CA does not issue=
 a single certificate; instead, it issues a set of valid certificates, each=
 with its own fingerprint. This has practical consequences for TLS. Logging=
, SIEM, and threat intelligence systems often record events such as =93Obse=
rved certificate fingerprint X connecting to service Y,=94 implicitly treat=
ing the fingerprint as a stable identifier. Similarly, blocklists often ope=
rate on fingerprints (e.g., =93Block fingerprint X=94), and incident respon=
se workflows often rely on fingerprints as unique identifiers when searchin=
g for the attacker across datasets. In the presence of trivial attacks on s=
trong unforgeability, these assumptions break down, as the same underlying =
certificate can appear under many fingerprints. I think standardizing ECDSA=
 with trivial attacks on strong unforgeability was a big mistake that shoul=
d not be repeated.

Cheers,
John Preu=DF Mattsson

--_000_AS4PR07MB88250EF7936CDB2163D88C3089232AS4PR07MB8825eurp_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body>
<span style=3D"font-family: Aptos, Arial, Helvetica, sans-serif; font-size:=
 12pt; color: rgb(0, 0, 0);">Hi,</span>
<div style=3D"direction: ltr; font-family: Aptos, Arial, Helvetica, sans-se=
rif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"font-family: Aptos, Arial, Helvetica, sans-serif; font-size: =
12pt; color: rgb(0, 0, 0);">
While I recommend everybody to use X25519MLKEM768, I do not think TLS shoul=
d work on hybrid authentication. If hybrid authentication is nevertheless w=
orked on, the composite signatures in draft-reddy-tls-composite-mldsa seem =
like the least suitable approach.</div>
<div style=3D"direction: ltr; font-family: Aptos, Arial, Helvetica, sans-se=
rif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"font-family: Aptos, Arial, Helvetica, sans-serif; font-size: =
12pt; color: rgb(0, 0, 0);">
Work on hybrid signatures in 2026 is a distraction delaying the urgent migr=
ation to PQC signatures, particularly for PKI and long-lived devices. I see=
 little justification for placing less trust in ML-DSA than in RSA or ECDSA=
 (EdDSA is a good algorithm but
 is not widely used in TLS). In fact, the sooner RSA and ECDSA can be repla=
ced by ML-DSA or SLH-DSA, the better. For those not yet ready to adopt ML-D=
SA, standalone SLH-DSA is the way to go.</div>
<div style=3D"direction: ltr; font-family: Aptos, Arial, Helvetica, sans-se=
rif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"font-family: Aptos, Arial, Helvetica, sans-serif; font-size: =
12pt; color: rgb(0, 0, 0);">
All modern signature schemes (RSA-PSS, EdDSA, LMS, XMSS, ML-DSA, SLH-DSA, F=
N-DSA) avoid trivial attacks on strong unforgeability and provide a high le=
vel of SUF-CMA security. I do not think TLS should introduce any new weak s=
ignature algorithms such as draft-reddy-tls-composite-mldsa.
 draft-reddy-tls-composite-mldsa goes against the principle in both US SP 8=
00-227 and EU Roadmap for transition to PQC which states that hybrids shoul=
d preserve the security properties of its components. The new cryptographic=
 algorithms in draft-reddy-tls-composite-mldsa
 (which has not been vetted by CFRG) significantly weakens the security pro=
perties of ML-DSA as they introduce trivial attacks on strong unforgeabilit=
y.&nbsp;</div>
<div style=3D"direction: ltr; font-family: Aptos, Arial, Helvetica, sans-se=
rif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"font-family: Aptos, Arial, Helvetica, sans-serif; font-size: =
12pt; color: rgb(0, 0, 0);">
With the algorithms in draft-reddy-tls-composite-mldsa, a CA does not issue=
 a single certificate; instead, it issues a set of valid certificates, each=
 with its own fingerprint. This has practical consequences for TLS. Logging=
, SIEM, and threat intelligence
 systems often record events such as =93Observed certificate fingerprint X =
connecting to service Y,=94 implicitly treating the fingerprint as a stable=
 identifier. Similarly, blocklists often operate on fingerprints (e.g., =93=
Block fingerprint X=94), and incident response
 workflows often rely on fingerprints as unique identifiers when searching =
for the attacker across datasets. In the presence of trivial attacks on str=
ong unforgeability, these assumptions break down, as the same underlying ce=
rtificate can appear under many
 fingerprints. I think standardizing ECDSA with trivial attacks on strong u=
nforgeability was a big mistake that should not be repeated.</div>
<div style=3D"direction: ltr; font-family: Aptos, Arial, Helvetica, sans-se=
rif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"font-family: Aptos, Arial, Helvetica, sans-serif; font-size: =
12pt; color: rgb(0, 0, 0);">
Cheers,</div>
<div style=3D"font-family: Aptos, Arial, Helvetica, sans-serif; font-size: =
12pt; color: rgb(0, 0, 0);">
John Preu=DF Mattsson</div>
</body>
</html>

--_000_AS4PR07MB88250EF7936CDB2163D88C3089232AS4PR07MB8825eurp_--