I largely agree with this, but just wanted to mention that what matters is the lifetime of the keys not the lifetime of the tokens. Of course, short-lived tokens mean you can typically rotate your keys frequently too, but that’s not always possible eg for keys embedded in hardware.
> On 17 Oct 2025, at 20:41, Simo Sorce <[email protected]> wrote: > > Lucas, > while LAMPS may have different needs, I do not understand what > composites > bring to JOSE or COSE, the JWT and JWS tokens are generally short-lived > entities, therefore there is no need for long term protection against > CRQC. > > And for short term protection there is no point in dual signatures, if > a CRQC is available the classic part is irrelevant. And until a CRQC is > available the QR part is redundant. > > I think this will just add complexity with no value, complexity means > more bugs and more ways to screw up, and must always be justified. > > Additionally, in terms of timing: > > - If a CRQC is expected soon all this work is net overhead for > basically no gain as classic signatures will be obsolete quickly, and > going though composite signatures will cause dual migrations classic -> > composite -> pureQR, which is operationally expensive and doubles the > pain. > > - If a CRQC is not expected soon, then rushing into composites is also > not useful, it is better to stay on a classic signature until the time > pureQR are trustworthy enough to do the migration once. > > Note that for a PKI infrastructure that provides CA certificates that > have a long life the considerations may be quite different, so LAMPS > has more reasons to entertain composite signatures at least for CA > certificates. > > Because I do not see a cryptographic relevant justification I am > somewhat against adding composite signatures to JOSE (can't speak about > COSE because I am not as familiar with its application space). > > Simo. > > On Fri, 2025-10-17 at 15:35 +0000, Lucas Prabel wrote: >> >> >> Hi Orie, thanks for your feedback. >> >> I think the point about the specific use cases is not specific to hybrid >> composite signatures, but could also be raised for pure PQ signatures, which >> didn’t prevent the COSE ML-DSA draft to be adopted by the COSE WG. >> >> The LAMPS composite draft has already been adopted and is in WGLC. Given the >> 2030 migration timelines announced by several security agencies and >> organizations, I also believe waiting too long to standardize such >> mechanisms could make it difficult for some systems to achieve compliance in >> time. >> >> Best, >> >> Lucas >> > > -- > Simo Sorce > Distinguished Engineer > RHEL Crypto Team > Red Hat, Inc > > _______________________________________________ > jose mailing list -- [email protected] <mailto:[email protected]> > To unsubscribe send an email to [email protected] > <mailto:[email protected]>
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
