IETF Logo Mail Archive

[lamps] Re: WG Last Call: draft-ietf-lamps-pq-composite-sigs-08 (Ends 2025-10-06)

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 06 October 2025 21:58 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: spasm@mail2.ietf.org
Delivered-To: spasm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D5E2B6E4159E for <spasm@mail2.ietf.org>; Mon, 6 Oct 2025 14:58:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -3.99
X-Spam-Level:
X-Spam-Status: No, score=-3.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_TVD_MIME_EPI=0.01] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGUod0duBQ6c for <spasm@mail2.ietf.org>; Mon, 6 Oct 2025 14:58:00 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7E8C16E4158E for <spasm@ietf.org>; Mon, 6 Oct 2025 14:58:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id F0EA138AD4; Mon, 6 Oct 2025 17:57:59 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id C2JDE6ZplnsL; Mon, 6 Oct 2025 17:57:59 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1759787879; bh=icAuoxO5uFAv+rlWeWDxUshUXZQNBB+lYd69hzk+Ohs=; h=From:To:Subject:In-Reply-To:References:Date:From; b=reaRKAp7IDn0t9SF447MQSjpyytesAE3wVfJP6Eyvq/PlkdiFSsyqVuwXxzJDmGop 8k2HwCqwfe/xI/vQGrQU2RJAHCXcuxyhdRCG7QkjfiZpbEnO8kIBIagCnxS8VP8Fy0 8vOs18WfKRr3uKbWjAiGMNbJMC4AYJYmjhK3EuT3zSakaEPx2dTbYQfkGt7NsS8T+m SDF9XrkywumwIRTDH7rfhnB7jyqhORvIQpO28R9WBeXW6NRedUoiNJwJMRu8xDVYTg 1WauHbHCOgQhLJ6EgNYZshaGM1qKyJYDQ3zECY7LwLiganoeysEkGi9PC8xDzapa+E mByZV+gDCH1dQ==
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 3925B38AD3; Mon, 6 Oct 2025 17:57:59 -0400 (EDT)
Received: from obiwan.sandelman.ca (obiwan.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 31263237; Mon, 6 Oct 2025 17:57:59 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Mike Ounsworth <ounsworth+ietf@gmail.com>, Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org>, spasm@ietf.org
In-Reply-To: <CAKZgXHrn45OK-X=JxWY0E9m=s7+pCBqFQk3bKTJ7fOQ=A2LeLg@mail.gmail.com>
References: <175855620751.648048.16646357165291761730@dt-datatracker-6c6cdf7f94-h6rnn> <CANKrMkhQEz=jtgS_Atch6EPcj7bSDySyhESRvUdVqFnWHD2o9g@mail.gmail.com> <b5883421-0e28-445c-91bb-b2cae0016077@bouncycastle.org> <CAKZgXHodTJCBHBGJhGGkmVtWeXncgmG+-bozrJOKm7DPiwh28g@mail.gmail.com> <9773258e-3122-49d8-a40f-f9e5e8e68002@dennis-jackson.uk> <CAEEbLAbQAs1-yzOHgoAtsMxOYCtVkcRcbuhyoDCoQQJ-FO_G0A@mail.gmail.com> <4910a47c-199d-4c00-86ef-73df3c60b689@crypto4a.com> <CAKZgXHo=xJTvvLKvw=E6qh7jLbgP5b5b_cpoOcneHGHqzqJxaQ@mail.gmail.com> <a8fa1db6-bde4-4775-9ebc-e47ea963f367@dennis-jackson.uk> <CAKZgXHrn45OK-X=JxWY0E9m=s7+pCBqFQk3bKTJ7fOQ=A2LeLg@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 06 Oct 2025 17:57:59 -0400
Message-ID: <18665.1759787879@obiwan.sandelman.ca>
Message-ID-Hash: 5TSK67ON77VEAT44RVFGOAODX4NYGHMN
X-Message-ID-Hash: 5TSK67ON77VEAT44RVFGOAODX4NYGHMN
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] Re: WG Last Call: draft-ietf-lamps-pq-composite-sigs-08 (Ends 2025-10-06)
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/1N6GHSIHWPV0Puku1D5lODJphIs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

Mike Ounsworth <ounsworth+ietf@gmail.com> wrote:
    > argument that we know that the first gen of PQC HSMs going through FIPS
    > certification now submitted their modules for certification a year ago
    > before NIST said that seeds were allowed. Once those get certified, there
    > will likely be a rush to put that first gen of PQC HSM into production,
    > where they will probably sit for 5 - 10 years. Sure, subsequent generations
    > will support seeds, but we need composites as an immediate transition
    > mechanism, and if we KNOW that the first gen of hardware won't be able to
    > do it (to be precise: "it" means able to export an ML-DSA key as seed),

As we discussed at length, this only matters to people who want to transfer
their private key to another HSM, likely of a different manufacturer.
I assume that sensible manufacturers of HSM plan for the blue smoke to escape
from the HSM devices, and that people need backups... and that doing so within the
same line is already supported via WHATEVER, which does not need to be standardized.

(Only thing I'll say on this)

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.38.3 | Report a Bug | By Email | System Status