Lucas, while LAMPS may have different needs, I do not understand what composites bring to JOSE or COSE, the JWT and JWS tokens are generally short-lived entities, therefore there is no need for long term protection against CRQC.
And for short term protection there is no point in dual signatures, if a CRQC is available the classic part is irrelevant. And until a CRQC is available the QR part is redundant. I think this will just add complexity with no value, complexity means more bugs and more ways to screw up, and must always be justified. Additionally, in terms of timing: - If a CRQC is expected soon all this work is net overhead for basically no gain as classic signatures will be obsolete quickly, and going though composite signatures will cause dual migrations classic -> composite -> pureQR, which is operationally expensive and doubles the pain. - If a CRQC is not expected soon, then rushing into composites is also not useful, it is better to stay on a classic signature until the time pureQR are trustworthy enough to do the migration once. Note that for a PKI infrastructure that provides CA certificates that have a long life the considerations may be quite different, so LAMPS has more reasons to entertain composite signatures at least for CA certificates. Because I do not see a cryptographic relevant justification I am somewhat against adding composite signatures to JOSE (can't speak about COSE because I am not as familiar with its application space). Simo. On Fri, 2025-10-17 at 15:35 +0000, Lucas Prabel wrote: > > > Hi Orie, thanks for your feedback. > > I think the point about the specific use cases is not specific to hybrid > composite signatures, but could also be raised for pure PQ signatures, which > didn’t prevent the COSE ML-DSA draft to be adopted by the COSE WG. > > The LAMPS composite draft has already been adopted and is in WGLC. Given the > 2030 migration timelines announced by several security agencies and > organizations, I also believe waiting too long to standardize such mechanisms > could make it difficult for some systems to achieve compliance in time. > > Best, > > Lucas > -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
