Dear Tiru, Scott and all I read through the draft-reddy-ipsecme-pqt-hybrid-auth-00. I think overall this draft is about to use the composite certificate specified in LAMPS to the IKE_Auth for the migration of the IKEv2. As I am catching up on this work, I have a few comments and questions for your consideration of the draft:
1. In the title, Some new readers might be confused about the use of the term "hybrid" in the title and "composite" in the text. Or, do we have other considerations for retaining both terms? 2. In section 3, this section currently contains only a single short paragraph explaining the relationship between key exchange and authentication. I wonder if perhaps merge it into other section would improve the document's flow? 3. In section 7, Regarding the text: "we will need for an IKE device to be able to support negotiating with devices with only conventional (e.g. RSA) certificates..." > If a legacy device only understands traditional IKE_AUTH and cannot identify a composite certificate, will it simply fail to parse it? we might worth further to clarify whether a successful IKE_AUTH procedure can actually be completed if one peer only supports traditional certificates while the other strictly uses a composite certificate. 4. for section 8.1, A question came to my mind regarding downgrade threats. If the SK used to encrypt and protect the IKE_AUTH message is derived from a non-quantum-secure SKEYSEED (e.g., traditional DH only), does this pose a threat to the authentication process? In other words, should we explicitly require that a hybrid key exchange in IKE_SA_INIT is a strict prerequisite for this composite IKE_AUTH to be meaningful? 5. For the reference, draft-ietf-lamps-pq-composite-sigs seems recently been updated to version -19. I hope this feedback is helpful for the future version. I look forward to hearing your thoughts. Regards, Lun Li From: tirumal reddy <[email protected]> Sent: April 14, 2026 13:26 To: ipsec <[email protected]> Subject: [IPsec] Fwd: FW: New Version Notification for draft-reddy-ipsecme-pqt-hybrid-auth-00.txt Hi all, We have submitted a new individual draft for WG consideration: Title: Hybrid Post-Quantum and Traditional Authentication for IKEv2 Draft: draft-reddy-ipsecme-pqt-hybrid-auth-00 URL: https://datatracker.ietf.org/doc/draft-reddy-ipsecme-pqt-hybrid-auth/ This document defines a hybrid PKI authentication mechanism for IKEv2 using composite certificates, combining ML-DSA (post-quantum) with traditional signature algorithms such as ECDSA. The goal is to ensure authentication remains secure as long as at least one component algorithm is unbroken, providing a robust migration path during the transition to post-quantum cryptography. The draft complements draft-ietf-ipsecme-ikev2-pqc-auth, which covers PQC-only authentication. This document extends that work to support hybrid assurance using composite certificates as defined in draft-ietf-lamps-pq-composite-sigs. Notably, this mechanism does not require any changes to the IKEv2 base protocol, it reuses the existing AUTH payload format defined in RFC 7427 and the SUPPORTED_AUTH_METHODS notification from RFC 9593. Comments and suggestions are welcome. Best regards, -Tiru & Scott -----Original Message----- From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Sent: Tuesday, April 14, 2026 10:50 AM To: K Tirumaleswar Reddy (Nokia) <[email protected]<mailto:[email protected]>>; Scott Fluhrer <[email protected]<mailto:[email protected]>>; K Tirumaleswar Reddy (Nokia) <[email protected]<mailto:[email protected]>> Subject: New Version Notification for draft-reddy-ipsecme-pqt-hybrid-auth-00.txt CAUTION: This is an external email. Please be very careful when clicking links or opening attachments. See the URL nok.it/ext<http://nok.it/ext> for additional information. A new version of Internet-Draft draft-reddy-ipsecme-pqt-hybrid-auth-00.txt has been successfully submitted by Tirumaleswar Reddy and posted to the IETF repository. Name: draft-reddy-ipsecme-pqt-hybrid-auth Revision: 00 Title: Hybrid Post-Quantum and Traditional Authentication for IKEv2 Date: 2026-04-14 Group: Individual Submission Pages: 10 URL: https://www.ietf.org/archive/id/draft-reddy-ipsecme-pqt-hybrid-auth-00.txt Status: https://datatracker.ietf.org/doc/draft-reddy-ipsecme-pqt-hybrid-auth/ HTML: https://www.ietf.org/archive/id/draft-reddy-ipsecme-pqt-hybrid-auth-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-reddy-ipsecme-pqt-hybrid-auth Abstract: A Cryptographically Relevant Quantum Computer (CRQC) can break traditional public-key algorithms (e.g., RSA, ECDSA), which are typically used for authentication in IKEv2. Combining the post- quantum ML-DSA signature algorithm with a traditional signature algorithm provides protection against potential weaknesses or implementation flaws in ML-DSA. This draft defines a hybrid PKI authentication method for IKEv2 using composite certificates that ensures authentication remains secure as long as at least one of the component signature algorithms remains unbroken. The IETF Secretariat
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
